Merge pull request #614 from versity/test_cmdline_iam_two

Test cmdline iam two
test: iam s3 testing, env, logging cleanup, improvement
2026-01-28 22:12:04 +00:00 · 2024-06-11 07:16:30 -07:00 · 2024-06-11 10:04:20 -03:00 · 2024-06-10 20:55:30 -07:00 · 2024-06-10 20:55:18 -07:00 · 2024-06-10 20:38:05 -07:00
112 changed files with 6269 additions and 1646 deletions
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -0,0 +1,16 @@
+name: shellcheck
+on: pull_request
+jobs:
+
+  build:
+    name: Run shellcheck
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Run checks
+      run: |
+        shellcheck --version
+        shellcheck -e SC1091 tests/*.sh tests/*/*.sh
--- a/.github/workflows/system.yml
+++ b/.github/workflows/system.yml
@@ -4,16 +4,60 @@ jobs:
  build:
    name: RunTests
    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - set: 1
+            LOCAL_FOLDER: /tmp/gw1
+            BUCKET_ONE_NAME: versity-gwtest-bucket-one-1
+            BUCKET_TWO_NAME: versity-gwtest-bucket-two-1
+            IAM_TYPE: folder
+            USERS_FOLDER: /tmp/iam1
+            AWS_ENDPOINT_URL: https://127.0.0.1:7070
+            RUN_SET: "s3cmd"
+            PORT: 7070
+          - set: 2
+            LOCAL_FOLDER: /tmp/gw2
+            BUCKET_ONE_NAME: versity-gwtest-bucket-one-2
+            BUCKET_TWO_NAME: versity-gwtest-bucket-two-2
+            IAM_TYPE: folder
+            USERS_FOLDER: /tmp/iam2
+            AWS_ENDPOINT_URL: https://127.0.0.1:7071
+            RUN_SET: "s3"
+            PORT: 7071
+          - set: 3
+            LOCAL_FOLDER: /tmp/gw3
+            BUCKET_ONE_NAME: versity-gwtest-bucket-one-3
+            BUCKET_TWO_NAME: versity-gwtest-bucket-two-3
+            IAM_TYPE: folder
+            USERS_FOLDER: /tmp/iam3
+            AWS_ENDPOINT_URL: https://127.0.0.1:7072
+            RUN_SET: "s3api"
+            PORT: 7072
+          - set: 4
+            LOCAL_FOLDER: /tmp/gw4
+            BUCKET_ONE_NAME: versity-gwtest-bucket-one-4
+            BUCKET_TWO_NAME: versity-gwtest-bucket-two-4
+            IAM_TYPE: folder
+            USERS_FOLDER: /tmp/iam4
+            AWS_ENDPOINT_URL: https://127.0.0.1:7073
+            RUN_SET: "mc"
+            PORT: 7073
+          - set: 5
+            LOCAL_FOLDER: /tmp/gw4
+            BUCKET_ONE_NAME: versity-gwtest-bucket-one-4
+            BUCKET_TWO_NAME: versity-gwtest-bucket-two-4
+            IAM_TYPE: s3
+            USERS_BUCKET: versity-gwtest-iam
+            AWS_ENDPOINT_URL: https://127.0.0.1:7074
+            RUN_SET: "aws-user"
+            PORT: 7074
+
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v4

-      - name: Install ShellCheck
-        run: sudo apt-get install shellcheck
-
-      - name: Run ShellCheck
-        run: shellcheck -S warning ./tests/*.sh
-
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
@@ -39,6 +83,27 @@ jobs:
          chmod 755 /usr/local/bin/mc

      - name: Build and run, posix backend
+        env:
+          LOCAL_FOLDER: ${{ matrix.LOCAL_FOLDER }}
+          BUCKET_ONE_NAME: ${{ matrix.BUCKET_ONE_NAME }}
+          BUCKET_TWO_NAME: ${{ matrix.BUCKET_TWO_NAME }}
+          USERS_FOLDER: ${{ matrix.USERS_FOLDER }}
+          USERS_BUCKET: ${{ matrix.USERS_BUCKET }}
+          IAM_TYPE: ${{ matrix.IAM_TYPE }}
+          AWS_ENDPOINT_URL: ${{ matrix.AWS_ENDPOINT_URL }}
+          RUN_SET: ${{ matrix.RUN_SET }}
+          PORT: ${{ matrix.PORT }}
+          AWS_PROFILE: versity
+          VERSITY_EXE: ${{ github.workspace }}/versitygw
+          RUN_VERSITYGW: true
+          BACKEND: posix
+          RECREATE_BUCKETS: true
+          CERT: ${{ github.workspace }}/cert.pem
+          KEY: ${{ github.workspace }}/versitygw.pem
+          S3CMD_CONFIG: tests/s3cfg.local.default
+          MC_ALIAS: versity
+          LOG_LEVEL: 4
+          GOCOVERDIR: ${{ github.workspace }}/cover
        run: |
          make testbin
          export AWS_ACCESS_KEY_ID=ABCDEFGHIJKLMNOPQRST
@@ -47,12 +112,12 @@ jobs:
          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile versity
          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile versity
          aws configure set aws_region $AWS_REGION --profile versity
-          mkdir /tmp/gw
+          mkdir $LOCAL_FOLDER
          export WORKSPACE=$GITHUB_WORKSPACE
-          openssl genpkey -algorithm RSA -out versitygw.pem -pkeyopt rsa_keygen_bits:2048
-          openssl req -new -x509 -key versitygw.pem -out cert.pem -days 365 -subj "/C=US/ST=California/L=San Francisco/O=Versity/OU=Software/CN=versity.com"
-          mkdir cover iam
-          VERSITYGW_TEST_ENV=./tests/.env.default ./tests/run_all.sh
+          openssl genpkey -algorithm RSA -out $KEY -pkeyopt rsa_keygen_bits:2048
+          openssl req -new -x509 -key $KEY -out $CERT -days 365 -subj "/C=US/ST=California/L=San Francisco/O=Versity/OU=Software/CN=versity.com"
+          mkdir $GOCOVERDIR $USERS_FOLDER
+          BYPASS_ENV_FILE=true ${{ github.workspace }}/tests/run.sh $RUN_SET

      #- name: Build and run, s3 backend
      #  run: |
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
  <a href="https://www.versity.com"><img alt="Versity Software logo image." src="https://github.com/versity/versitygw/blob/assets/assets/logo.svg"></a>
 </picture>

- [![Apache V2 License](https://img.shields.io/badge/license-Apache%20V2-blue.svg)](https://github.com/versity/versitygw/blob/main/LICENSE)  
+ [![Apache V2 License](https://img.shields.io/badge/license-Apache%20V2-blue.svg)](https://github.com/versity/versitygw/blob/main/LICENSE) [![Go Report Card](https://goreportcard.com/badge/github.com/versity/versitygw)](https://goreportcard.com/report/github.com/versity/versitygw) [![Go Reference](https://pkg.go.dev/badge/github.com/versity/versitygw.svg)](https://pkg.go.dev/github.com/versity/versitygw)

 ### Binary release builds
 Download [latest release](https://github.com/versity/versitygw/releases)
@@ -22,8 +22,7 @@ Download [latest release](https://github.com/versity/versitygw/releases)
 * Simplified interface for adding new storage system support

 ### News
-* New performance (scale up) analysis article [https://github.com/versity/versitygw/wiki/Performance](https://github.com/versity/versitygw/wiki/Performance)
-* New performance (scale out) Part 2 analysis article [https://github.com/versity/versitygw/wiki/Performance-Part-2](https://github.com/versity/versitygw/wiki/Performance-Part-2)
+Check out latest wiki articles: [https://github.com/versity/versitygw/wiki/Articles](https://github.com/versity/versitygw/wiki/Articles)

 ### Mailing List
 Keep up to date with latest gateway announcements by signing up to the [versitygw mailing list](https://www.versity.com/products/versitygw#signup).
--- a/auth/acl.go
+++ b/auth/acl.go
@@ -280,9 +280,15 @@ type AccessOptions struct {
 	Bucket        string
 	Object        string
 	Action        Action
+	Readonly      bool
 }

 func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) error {
+	if opts.Readonly {
+		if opts.AclPermission == types.PermissionWrite || opts.AclPermission == types.PermissionWriteAcp {
+			return s3err.GetAPIError(s3err.ErrAccessDenied)
+		}
+	}
 	if opts.IsRoot {
 		return nil
 	}
@@ -303,7 +309,7 @@ func VerifyAccess(ctx context.Context, be backend.Backend, opts AccessOptions) e
 		return s3err.GetAPIError(s3err.ErrAccessDenied)
 	}

-	if err := verifyBucketPolicy(policy, opts.Acc.Access, opts.Bucket, opts.Object, opts.Action); err != nil {
+	if err := VerifyBucketPolicy(policy, opts.Acc.Access, opts.Bucket, opts.Object, opts.Action); err != nil {
 		return err
 	}
 	if err := verifyACL(opts.Acl, opts.Acc.Access, opts.AclPermission); err != nil {
--- a/auth/bucket_policy.go
+++ b/auth/bucket_policy.go
@@ -115,7 +115,7 @@ func ValidatePolicyDocument(policyBin []byte, bucket string, iam IAMService) err
 	return nil
 }

-func verifyBucketPolicy(policy []byte, access, bucket, object string, action Action) error {
+func VerifyBucketPolicy(policy []byte, access, bucket, object string, action Action) error {
 	// If bucket policy is not set
 	if policy == nil {
 		return nil
--- a/auth/bucket_policy_principals.go
+++ b/auth/bucket_policy_principals.go
@@ -28,7 +28,13 @@ func (p Principals) Add(key string) {
 // Override UnmarshalJSON method to decode both []string and string properties
 func (p *Principals) UnmarshalJSON(data []byte) error {
 	ss := []string{}
+	var s string
+	var k struct {
+		AWS string
+	}
+
 	var err error
+
 	if err = json.Unmarshal(data, &ss); err == nil {
 		if len(ss) == 0 {
 			return fmt.Errorf("principals can't be empty")
@@ -37,14 +43,35 @@ func (p *Principals) UnmarshalJSON(data []byte) error {
 		for _, s := range ss {
 			p.Add(s)
 		}
+		return nil
+	} else if err = json.Unmarshal(data, &s); err == nil {
+		if s == "" {
+			return fmt.Errorf("principals can't be empty")
+		}
+		*p = make(Principals)
+		p.Add(s)
+
+		return nil
+	} else if err = json.Unmarshal(data, &k); err == nil {
+		if k.AWS == "" {
+			return fmt.Errorf("principals can't be empty")
+		}
+		*p = make(Principals)
+		p.Add(k.AWS)
+
+		return nil
 	} else {
-		var s string
-		if err = json.Unmarshal(data, &s); err == nil {
-			if s == "" {
+		var sk struct {
+			AWS []string
+		}
+		if err = json.Unmarshal(data, &sk); err == nil {
+			if len(sk.AWS) == 0 {
 				return fmt.Errorf("principals can't be empty")
 			}
 			*p = make(Principals)
-			p.Add(s)
+			for _, s := range sk.AWS {
+				p.Add(s)
+			}
 		}
 	}

--- a/auth/iam.go
+++ b/auth/iam.go
@@ -30,12 +30,11 @@ const (

 // Account is a gateway IAM account
 type Account struct {
-	Access    string `json:"access"`
-	Secret    string `json:"secret"`
-	Role      Role   `json:"role"`
-	UserID    int    `json:"userID"`
-	GroupID   int    `json:"groupID"`
-	ProjectID int    `json:"projectID"`
+	Access  string `json:"access"`
+	Secret  string `json:"secret"`
+	Role    Role   `json:"role"`
+	UserID  int    `json:"userID"`
+	GroupID int    `json:"groupID"`
 }

 // IAMService is the interface for all IAM service implementations
@@ -49,28 +48,42 @@ type IAMService interface {
 	Shutdown() error
 }

-var ErrNoSuchUser = errors.New("user not found")
+var (
+	// ErrUserExists is returned when the user already exists
+	ErrUserExists = errors.New("user already exists")
+	// ErrNoSuchUser is returned when the user does not exist
+	ErrNoSuchUser = errors.New("user not found")
+)

 type Opts struct {
-	Dir                string
-	LDAPServerURL      string
-	LDAPBindDN         string
-	LDAPPassword       string
-	LDAPQueryBase      string
-	LDAPObjClasses     string
-	LDAPAccessAtr      string
-	LDAPSecretAtr      string
-	LDAPRoleAtr        string
-	S3Access           string
-	S3Secret           string
-	S3Region           string
-	S3Bucket           string
-	S3Endpoint         string
-	S3DisableSSlVerfiy bool
-	S3Debug            bool
-	CacheDisable       bool
-	CacheTTL           int
-	CachePrune         int
+	Dir                    string
+	LDAPServerURL          string
+	LDAPBindDN             string
+	LDAPPassword           string
+	LDAPQueryBase          string
+	LDAPObjClasses         string
+	LDAPAccessAtr          string
+	LDAPSecretAtr          string
+	LDAPRoleAtr            string
+	VaultEndpointURL       string
+	VaultSecretStoragePath string
+	VaultMountPath         string
+	VaultRootToken         string
+	VaultRoleId            string
+	VaultRoleSecret        string
+	VaultServerCert        string
+	VaultClientCert        string
+	VaultClientCertKey     string
+	S3Access               string
+	S3Secret               string
+	S3Region               string
+	S3Bucket               string
+	S3Endpoint             string
+	S3DisableSSlVerfiy     bool
+	S3Debug                bool
+	CacheDisable           bool
+	CacheTTL               int
+	CachePrune             int
 }

 func New(o *Opts) (IAMService, error) {
@@ -91,6 +104,11 @@ func New(o *Opts) (IAMService, error) {
 			o.S3Endpoint, o.S3DisableSSlVerfiy, o.S3Debug)
 		fmt.Printf("initializing S3 IAM with '%v/%v'\n",
 			o.S3Endpoint, o.S3Bucket)
+	case o.VaultEndpointURL != "":
+		svc, err = NewVaultIAMService(o.VaultEndpointURL, o.VaultSecretStoragePath,
+			o.VaultMountPath, o.VaultRootToken, o.VaultRoleId, o.VaultRoleSecret,
+			o.VaultServerCert, o.VaultClientCert, o.VaultClientCertKey)
+		fmt.Printf("initializing Vault IAM with %q\n", o.VaultEndpointURL)
 	default:
 		// if no iam options selected, default to the single user mode
 		fmt.Println("No IAM service configured, enabling single account mode")
--- a/auth/iam_internal.go
+++ b/auth/iam_internal.go
@@ -70,7 +70,7 @@ func (s *IAMServiceInternal) CreateAccount(account Account) error {

 		_, ok := conf.AccessAccounts[account.Access]
 		if ok {
-			return nil, fmt.Errorf("account already exists")
+			return nil, ErrUserExists
 		}
 		conf.AccessAccounts[account.Access] = account

@@ -135,12 +135,11 @@ func (s *IAMServiceInternal) ListUserAccounts() ([]Account, error) {
 	var accs []Account
 	for _, k := range keys {
 		accs = append(accs, Account{
-			Access:    k,
-			Secret:    conf.AccessAccounts[k].Secret,
-			Role:      conf.AccessAccounts[k].Role,
-			UserID:    conf.AccessAccounts[k].UserID,
-			GroupID:   conf.AccessAccounts[k].GroupID,
-			ProjectID: conf.AccessAccounts[k].ProjectID,
+			Access:  k,
+			Secret:  conf.AccessAccounts[k].Secret,
+			Role:    conf.AccessAccounts[k].Role,
+			UserID:  conf.AccessAccounts[k].UserID,
+			GroupID: conf.AccessAccounts[k].GroupID,
 		})
 	}

@@ -189,6 +188,10 @@ func parseIAM(b []byte) (iAMConfig, error) {
 		return iAMConfig{}, fmt.Errorf("failed to parse the config file: %w", err)
 	}

+	if conf.AccessAccounts == nil {
+		conf.AccessAccounts = make(map[string]Account)
+	}
+
 	return conf, nil
 }

--- a/auth/iam_ldap.go
+++ b/auth/iam_ldap.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package auth

 import (
--- a/auth/iam_s3_object.go
+++ b/auth/iam_s3_object.go
@@ -85,6 +85,13 @@ func NewS3(access, secret, region, bucket, endpoint string, sslSkipVerify, debug
 		return nil, fmt.Errorf("init s3 IAM: %v", err)
 	}

+	if endpoint != "" {
+		i.client = s3.NewFromConfig(cfg, func(o *s3.Options) {
+			o.BaseEndpoint = &endpoint
+		})
+		return i, nil
+	}
+
 	i.client = s3.NewFromConfig(cfg)
 	return i, nil
 }
@@ -97,7 +104,7 @@ func (s *IAMServiceS3) CreateAccount(account Account) error {

 	_, ok := conf.AccessAccounts[account.Access]
 	if ok {
-		return fmt.Errorf("account already exists")
+		return ErrUserExists
 	}
 	conf.AccessAccounts[account.Access] = account

@@ -148,28 +155,17 @@ func (s *IAMServiceS3) ListUserAccounts() ([]Account, error) {
 	var accs []Account
 	for _, k := range keys {
 		accs = append(accs, Account{
-			Access:    k,
-			Secret:    conf.AccessAccounts[k].Secret,
-			Role:      conf.AccessAccounts[k].Role,
-			UserID:    conf.AccessAccounts[k].UserID,
-			GroupID:   conf.AccessAccounts[k].GroupID,
-			ProjectID: conf.AccessAccounts[k].ProjectID,
+			Access:  k,
+			Secret:  conf.AccessAccounts[k].Secret,
+			Role:    conf.AccessAccounts[k].Role,
+			UserID:  conf.AccessAccounts[k].UserID,
+			GroupID: conf.AccessAccounts[k].GroupID,
 		})
 	}

 	return accs, nil
 }

-// ResolveEndpoint is used for on prem or non-aws endpoints
-func (s *IAMServiceS3) ResolveEndpoint(service, region string, options ...interface{}) (aws.Endpoint, error) {
-	return aws.Endpoint{
-		PartitionID:       "aws",
-		URL:               s.endpoint,
-		SigningRegion:     s.region,
-		HostnameImmutable: true,
-	}, nil
-}
-
 func (s *IAMServiceS3) Shutdown() error {
 	return nil
 }
@@ -188,11 +184,6 @@ func (s *IAMServiceS3) getConfig() (aws.Config, error) {
 		config.WithHTTPClient(client),
 	}

-	if s.endpoint != "" {
-		opts = append(opts,
-			config.WithEndpointResolverWithOptions(s))
-	}
-
 	if s.debug {
 		opts = append(opts,
 			config.WithClientLogMode(aws.LogSigning|aws.LogRetries|aws.LogRequest|aws.LogResponse|aws.LogRequestEventMessage|aws.LogResponseEventMessage))
@@ -213,12 +204,12 @@ func (s *IAMServiceS3) getAccounts() (iAMConfig, error) {
 		// init empty accounts stuct and return that
 		var nsk *types.NoSuchKey
 		if errors.As(err, &nsk) {
-			return iAMConfig{}, nil
+			return iAMConfig{AccessAccounts: map[string]Account{}}, nil
 		}
 		var apiErr smithy.APIError
 		if errors.As(err, &apiErr) {
 			if apiErr.ErrorCode() == "NotFound" {
-				return iAMConfig{}, nil
+				return iAMConfig{AccessAccounts: map[string]Account{}}, nil
 			}
 		}

--- a/auth/iam_vault.go
+++ b/auth/iam_vault.go
@@ -0,0 +1,226 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	vault "github.com/hashicorp/vault-client-go"
+	"github.com/hashicorp/vault-client-go/schema"
+)
+
+type VaultIAMService struct {
+	client            *vault.Client
+	reqOpts           []vault.RequestOption
+	secretStoragePath string
+}
+
+var _ IAMService = &VaultIAMService{}
+
+func NewVaultIAMService(endpoint, secretStoragePath, mountPath, rootToken, roleID, roleSecret, serverCert, clientCert, clientCertKey string) (IAMService, error) {
+	opts := []vault.ClientOption{
+		vault.WithAddress(endpoint),
+		// set request timeout to 10 secs
+		vault.WithRequestTimeout(10 * time.Second),
+	}
+	if serverCert != "" {
+		tls := vault.TLSConfiguration{}
+
+		tls.ServerCertificate.FromBytes = []byte(serverCert)
+		if clientCert != "" {
+			if clientCertKey == "" {
+				return nil, fmt.Errorf("client certificate and client certificate should both be specified")
+			}
+
+			tls.ClientCertificate.FromBytes = []byte(clientCert)
+			tls.ClientCertificateKey.FromBytes = []byte(clientCertKey)
+		}
+
+		opts = append(opts, vault.WithTLS(tls))
+	}
+
+	client, err := vault.New(opts...)
+	if err != nil {
+		return nil, fmt.Errorf("init vault client: %w", err)
+	}
+
+	reqOpts := []vault.RequestOption{}
+	// if mount path is not specified, it defaults to "approle"
+	if mountPath != "" {
+		reqOpts = append(reqOpts, vault.WithMountPath(mountPath))
+	}
+
+	// Authentication
+	switch {
+	case rootToken != "":
+		err := client.SetToken(rootToken)
+		if err != nil {
+			return nil, fmt.Errorf("root token authentication failure: %w", err)
+		}
+	case roleID != "":
+		if roleSecret == "" {
+			return nil, fmt.Errorf("role id and role secret must both be specified")
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		resp, err := client.Auth.AppRoleLogin(ctx, schema.AppRoleLoginRequest{
+			RoleId:   roleID,
+			SecretId: roleSecret,
+		}, reqOpts...)
+		cancel()
+		if err != nil {
+			return nil, fmt.Errorf("approle authentication failure: %w", err)
+		}
+
+		if err := client.SetToken(resp.Auth.ClientToken); err != nil {
+			return nil, fmt.Errorf("approle authentication set token failure: %w", err)
+		}
+	default:
+		return nil, fmt.Errorf("vault authentication requires either roleid/rolesecret or root token")
+	}
+
+	return &VaultIAMService{
+		client:            client,
+		reqOpts:           reqOpts,
+		secretStoragePath: secretStoragePath,
+	}, nil
+}
+
+func (vt *VaultIAMService) CreateAccount(account Account) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	_, err := vt.client.Secrets.KvV2Write(ctx, vt.secretStoragePath+"/"+account.Access, schema.KvV2WriteRequest{
+		Data: map[string]any{
+			account.Access: account,
+		},
+		Options: map[string]interface{}{
+			"cas": 0,
+		},
+	}, vt.reqOpts...)
+	cancel()
+	if err != nil {
+		if strings.Contains(err.Error(), "check-and-set") {
+			return ErrUserExists
+		}
+		return err
+	}
+
+	return nil
+}
+
+func (vt *VaultIAMService) GetUserAccount(access string) (Account, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	resp, err := vt.client.Secrets.KvV2Read(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...)
+	cancel()
+	if err != nil {
+		return Account{}, err
+	}
+
+	acc, err := parseVaultUserAccount(resp.Data.Data, access)
+	if err != nil {
+		return Account{}, err
+	}
+
+	return acc, nil
+}
+
+func (vt *VaultIAMService) DeleteUserAccount(access string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	_, err := vt.client.Secrets.KvV2DeleteMetadataAndAllVersions(ctx, vt.secretStoragePath+"/"+access, vt.reqOpts...)
+	cancel()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (vt *VaultIAMService) ListUserAccounts() ([]Account, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	resp, err := vt.client.Secrets.KvV2List(ctx, vt.secretStoragePath, vt.reqOpts...)
+	cancel()
+	if err != nil {
+		if vault.IsErrorStatus(err, 404) {
+			return []Account{}, nil
+		}
+		return nil, err
+	}
+
+	accs := []Account{}
+
+	for _, acss := range resp.Data.Keys {
+		acc, err := vt.GetUserAccount(acss)
+		if err != nil {
+			return nil, err
+		}
+		accs = append(accs, acc)
+	}
+
+	return accs, nil
+}
+
+// the client doesn't have explicit shutdown, as it uses http.Client
+func (vt *VaultIAMService) Shutdown() error {
+	return nil
+}
+
+var errInvalidUser error = errors.New("invalid user account entry in secrets engine")
+
+func parseVaultUserAccount(data map[string]interface{}, access string) (acc Account, err error) {
+	usrAcc, ok := data[access].(map[string]interface{})
+	if !ok {
+		return acc, errInvalidUser
+	}
+
+	acss, ok := usrAcc["access"].(string)
+	if !ok {
+		return acc, errInvalidUser
+	}
+	secret, ok := usrAcc["secret"].(string)
+	if !ok {
+		return acc, errInvalidUser
+	}
+	role, ok := usrAcc["role"].(string)
+	if !ok {
+		return acc, errInvalidUser
+	}
+	userIdJson, ok := usrAcc["userID"].(json.Number)
+	if !ok {
+		return acc, errInvalidUser
+	}
+	userId, err := userIdJson.Int64()
+	if err != nil {
+		return acc, errInvalidUser
+	}
+	groupIdJson, ok := usrAcc["groupID"].(json.Number)
+	if !ok {
+		return acc, errInvalidUser
+	}
+	groupId, err := groupIdJson.Int64()
+	if err != nil {
+		return acc, errInvalidUser
+	}
+
+	return Account{
+		Access:  acss,
+		Secret:  secret,
+		Role:    Role(role),
+		UserID:  int(userId),
+		GroupID: int(groupId),
+	}, nil
+}
--- a/auth/object_lock.go
+++ b/auth/object_lock.go
@@ -36,7 +36,11 @@ type BucketLockConfig struct {
 func ParseBucketLockConfigurationInput(input []byte) ([]byte, error) {
 	var lockConfig types.ObjectLockConfiguration
 	if err := xml.Unmarshal(input, &lockConfig); err != nil {
-		return nil, s3err.GetAPIError(s3err.ErrInvalidRequest)
+		return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
+	}
+
+	if lockConfig.ObjectLockEnabled != "" && lockConfig.ObjectLockEnabled != types.ObjectLockEnabledEnabled {
+		return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

 	config := BucketLockConfig{
@@ -45,8 +49,19 @@ func ParseBucketLockConfigurationInput(input []byte) ([]byte, error) {

 	if lockConfig.Rule != nil && lockConfig.Rule.DefaultRetention != nil {
 		retention := lockConfig.Rule.DefaultRetention
+
+		if retention.Mode != types.ObjectLockRetentionModeCompliance && retention.Mode != types.ObjectLockRetentionModeGovernance {
+			return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
+		}
 		if retention.Years != nil && retention.Days != nil {
-			return nil, s3err.GetAPIError(s3err.ErrInvalidRequest)
+			return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
+		}
+
+		if retention.Days != nil && *retention.Days <= 0 {
+			return nil, s3err.GetAPIError(s3err.ErrObjectLockInvalidRetentionPeriod)
+		}
+		if retention.Years != nil && *retention.Years <= 0 {
+			return nil, s3err.GetAPIError(s3err.ErrObjectLockInvalidRetentionPeriod)
 		}

 		config.DefaultRetention = retention
@@ -89,7 +104,7 @@ func ParseObjectLockRetentionInput(input []byte) ([]byte, error) {
 	case types.ObjectLockRetentionModeCompliance:
 	case types.ObjectLockRetentionModeGovernance:
 	default:
-		return nil, s3err.GetAPIError(s3err.ErrInvalidRequest)
+		return nil, s3err.GetAPIError(s3err.ErrMalformedXML)
 	}

 	return json.Marshal(retention)
@@ -120,7 +135,7 @@ func ParseObjectLegalHoldOutput(status *bool) *types.ObjectLockLegalHold {
 	}
 }

-func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects []string, isAdminOrRoot bool, be backend.Backend) error {
+func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects []string, bypass bool, be backend.Backend) error {
 	data, err := be.GetObjectLockConfiguration(ctx, bucket)
 	if err != nil {
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound)) {
@@ -139,13 +154,26 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 		return nil
 	}

-	objExists := true
+	checkDefaultRetention := false
+
+	if bucketLockConfig.DefaultRetention != nil && bucketLockConfig.CreatedAt != nil {
+		expirationDate := *bucketLockConfig.CreatedAt
+		if bucketLockConfig.DefaultRetention.Days != nil {
+			expirationDate = expirationDate.AddDate(0, 0, int(*bucketLockConfig.DefaultRetention.Days))
+		}
+		if bucketLockConfig.DefaultRetention.Years != nil {
+			expirationDate = expirationDate.AddDate(int(*bucketLockConfig.DefaultRetention.Years), 0, 0)
+		}
+
+		if expirationDate.After(time.Now()) {
+			checkDefaultRetention = true
+		}
+	}

 	for _, obj := range objects {
-		var checkRetention bool = true
+		checkRetention := true
 		retentionData, err := be.GetObjectRetention(ctx, bucket, obj, "")
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchKey)) {
-			objExists = false
 			continue
 		}
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchObjectLockConfiguration)) {
@@ -165,7 +193,9 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 				if retention.RetainUntilDate.After(time.Now()) {
 					switch retention.Mode {
 					case types.ObjectLockRetentionModeGovernance:
-						if !isAdminOrRoot {
+						if !bypass {
+							return s3err.GetAPIError(s3err.ErrObjectLocked)
+						} else {
 							policy, err := be.GetBucketPolicy(ctx, bucket)
 							if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
 								return s3err.GetAPIError(s3err.ErrObjectLocked)
@@ -173,7 +203,7 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 							if err != nil {
 								return err
 							}
-							err = verifyBucketPolicy(policy, userAccess, bucket, obj, BypassGovernanceRetentionAction)
+							err = VerifyBucketPolicy(policy, userAccess, bucket, obj, BypassGovernanceRetentionAction)
 							if err != nil {
 								return s3err.GetAPIError(s3err.ErrObjectLocked)
 							}
@@ -185,37 +215,35 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 			}
 		}

+		checkLegalHold := true
+
 		status, err := be.GetObjectLegalHold(ctx, bucket, obj, "")
-		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchObjectLockConfiguration)) {
-			continue
-		}
 		if err != nil {
-			return err
+			if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchObjectLockConfiguration)) {
+				checkLegalHold = false
+			} else {
+				return err
+			}
 		}

-		if *status && !isAdminOrRoot {
+		if checkLegalHold && *status {
 			return s3err.GetAPIError(s3err.ErrObjectLocked)
 		}
-	}

-	if bucketLockConfig.DefaultRetention != nil && bucketLockConfig.CreatedAt != nil && objExists {
-		expirationDate := *bucketLockConfig.CreatedAt
-		if bucketLockConfig.DefaultRetention.Days != nil {
-			expirationDate = expirationDate.AddDate(0, 0, int(*bucketLockConfig.DefaultRetention.Days))
-		}
-		if bucketLockConfig.DefaultRetention.Years != nil {
-			expirationDate = expirationDate.AddDate(int(*bucketLockConfig.DefaultRetention.Years), 0, 0)
-		}
-
-		if expirationDate.After(time.Now()) {
+		if checkDefaultRetention {
 			switch bucketLockConfig.DefaultRetention.Mode {
 			case types.ObjectLockRetentionModeGovernance:
-				if !isAdminOrRoot {
+				if !bypass {
+					return s3err.GetAPIError(s3err.ErrObjectLocked)
+				} else {
 					policy, err := be.GetBucketPolicy(ctx, bucket)
+					if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
+						return s3err.GetAPIError(s3err.ErrObjectLocked)
+					}
 					if err != nil {
 						return err
 					}
-					err = verifyBucketPolicy(policy, userAccess, bucket, "", BypassGovernanceRetentionAction)
+					err = VerifyBucketPolicy(policy, userAccess, bucket, obj, BypassGovernanceRetentionAction)
 					if err != nil {
 						return s3err.GetAPIError(s3err.ErrObjectLocked)
 					}
--- a/aws/signer/v4/functional_test.go
+++ b/aws/signer/v4/functional_test.go
@@ -87,13 +87,13 @@ func TestStandaloneSign(t *testing.T) {

 		actual := req.Header.Get("Authorization")
 		if e, a := c.ExpSig, actual; e != a {
-			t.Errorf("expected %v, but recieved %v", e, a)
+			t.Errorf("expected %v, but received %v", e, a)
 		}
 		if e, a := c.OrigURI, req.URL.Path; e != a {
-			t.Errorf("expected %v, but recieved %v", e, a)
+			t.Errorf("expected %v, but received %v", e, a)
 		}
 		if e, a := c.EscapedURI, req.URL.EscapedPath(); e != a {
-			t.Errorf("expected %v, but recieved %v", e, a)
+			t.Errorf("expected %v, but received %v", e, a)
 		}
 	}
 }
@@ -127,13 +127,13 @@ func TestStandaloneSign_RawPath(t *testing.T) {

 		actual := req.Header.Get("Authorization")
 		if e, a := c.ExpSig, actual; e != a {
-			t.Errorf("expected %v, but recieved %v", e, a)
+			t.Errorf("expected %v, but received %v", e, a)
 		}
 		if e, a := c.OrigURI, req.URL.Path; e != a {
-			t.Errorf("expected %v, but recieved %v", e, a)
+			t.Errorf("expected %v, but received %v", e, a)
 		}
 		if e, a := c.EscapedURI, req.URL.EscapedPath(); e != a {
-			t.Errorf("expected %v, but recieved %v", e, a)
+			t.Errorf("expected %v, but received %v", e, a)
 		}
 	}
 }
--- a/backend/azure/azure.go
+++ b/backend/azure/azure.go
@@ -127,6 +127,11 @@ func (az *Azure) CreateBucket(ctx context.Context, input *s3.CreateBucketInput,
 		string(keyAclCapital): backend.GetStringPtr(string(acl)),
 	}

+	acct, ok := ctx.Value("account").(auth.Account)
+	if !ok {
+		acct = auth.Account{}
+	}
+
 	if input.ObjectLockEnabledForBucket != nil && *input.ObjectLockEnabledForBucket {
 		now := time.Now()
 		defaultLock := auth.BucketLockConfig{
@@ -142,6 +147,30 @@ func (az *Azure) CreateBucket(ctx context.Context, input *s3.CreateBucketInput,
 		meta[string(keyBucketLock)] = backend.GetStringPtr(string(defaultLockParsed))
 	}
 	_, err := az.client.CreateContainer(ctx, *input.Bucket, &container.CreateOptions{Metadata: meta})
+	if errors.Is(s3err.GetAPIError(s3err.ErrBucketAlreadyExists), azureErrToS3Err(err)) {
+		client, err := az.getContainerClient(*input.Bucket)
+		if err != nil {
+			return err
+		}
+
+		props, err := client.GetProperties(ctx, nil)
+		if err != nil {
+			return azureErrToS3Err(err)
+		}
+
+		aclPtr, ok := props.Metadata[string(keyAclCapital)]
+		if !ok {
+			return fmt.Errorf("missing acl in the bucket")
+		}
+
+		var acl auth.ACL
+		if err := json.Unmarshal([]byte(*aclPtr), &acl); err != nil {
+			return fmt.Errorf("unmarshal bucket acl: %w", err)
+		}
+		if acl.Owner == acct.Access {
+			return s3err.GetAPIError(s3err.ErrBucketAlreadyOwnedByYou)
+		}
+	}
 	return azureErrToS3Err(err)
 }

@@ -221,7 +250,7 @@ func (az *Azure) PutObject(ctx context.Context, po *s3.PutObjectInput) (string,
 		if err != nil {
 			return "", fmt.Errorf("parse object lock retention: %w", err)
 		}
-		if err := az.PutObjectRetention(ctx, *po.Bucket, *po.Key, "", retParsed); err != nil {
+		if err := az.PutObjectRetention(ctx, *po.Bucket, *po.Key, "", true, retParsed); err != nil {
 			return "", err
 		}
 	}
@@ -951,6 +980,20 @@ func (az *Azure) PutObjectLockConfiguration(ctx context.Context, bucket string,
 		return azureErrToS3Err(err)
 	}

+	cfg, exists := props.Metadata[string(keyBucketLock)]
+	if !exists {
+		return s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotAllowed)
+	}
+
+	var bucketLockCfg auth.BucketLockConfig
+	if err := json.Unmarshal([]byte(*cfg), &bucketLockCfg); err != nil {
+		return fmt.Errorf("unmarshal object lock config: %w", err)
+	}
+
+	if !bucketLockCfg.Enabled {
+		return s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotAllowed)
+	}
+
 	props.Metadata[string(keyBucketLock)] = backend.GetStringPtr(string(config))

 	_, err = client.SetMetadata(ctx, &container.SetMetadataOptions{
@@ -981,7 +1024,7 @@ func (az *Azure) GetObjectLockConfiguration(ctx context.Context, bucket string)
 	return []byte(*config), nil
 }

-func (az *Azure) PutObjectRetention(ctx context.Context, bucket, object, versionId string, retention []byte) error {
+func (az *Azure) PutObjectRetention(ctx context.Context, bucket, object, versionId string, bypass bool, retention []byte) error {
 	contClient, err := az.getContainerClient(bucket)
 	if err != nil {
 		return err
--- a/backend/backend.go
+++ b/backend/backend.go
@@ -84,7 +84,7 @@ type Backend interface {
 	// object lock operations
 	PutObjectLockConfiguration(_ context.Context, bucket string, config []byte) error
 	GetObjectLockConfiguration(_ context.Context, bucket string) ([]byte, error)
-	PutObjectRetention(_ context.Context, bucket, object, versionId string, retention []byte) error
+	PutObjectRetention(_ context.Context, bucket, object, versionId string, bypass bool, retention []byte) error
 	GetObjectRetention(_ context.Context, bucket, object, versionId string) ([]byte, error)
 	PutObjectLegalHold(_ context.Context, bucket, object, versionId string, status bool) error
 	GetObjectLegalHold(_ context.Context, bucket, object, versionId string) (*bool, error)
@@ -243,7 +243,7 @@ func (BackendUnsupported) PutObjectLockConfiguration(_ context.Context, bucket s
 func (BackendUnsupported) GetObjectLockConfiguration(_ context.Context, bucket string) ([]byte, error) {
 	return nil, s3err.GetAPIError(s3err.ErrNotImplemented)
 }
-func (BackendUnsupported) PutObjectRetention(_ context.Context, bucket, object, versionId string, retention []byte) error {
+func (BackendUnsupported) PutObjectRetention(_ context.Context, bucket, object, versionId string, bypass bool, retention []byte) error {
 	return s3err.GetAPIError(s3err.ErrNotImplemented)
 }
 func (BackendUnsupported) GetObjectRetention(_ context.Context, bucket, object, versionId string) ([]byte, error) {
--- a/backend/common.go
+++ b/backend/common.go
@@ -92,7 +92,7 @@ func ParseRange(fi fs.FileInfo, acceptRange string) (int64, int64, error) {
 		return 0, 0, errInvalidRange
 	}

-	if endOffset < startOffset {
+	if endOffset <= startOffset {
 		return 0, 0, errInvalidRange
 	}

--- a/backend/meta/meta.go
+++ b/backend/meta/meta.go
@@ -1,3 +1,17 @@
+// Copyright 2024 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package meta

 // MetadataStorer defines the interface for managing metadata.
--- a/backend/meta/xattr.go
+++ b/backend/meta/xattr.go
@@ -1,3 +1,17 @@
+// Copyright 2024 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package meta

 import (
--- a/backend/mkdir.go
+++ b/backend/mkdir.go
@@ -1,6 +1,7 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
+// Copyright 2024 Versity Software

 // MkdirAll borrowed from stdlib to add ability to set ownership
 // as directories are created
@@ -29,7 +30,7 @@ var (
 // Any newly created directory is set to provided uid/gid ownership.
 // If path is already a directory, MkdirAll does nothing
 // and returns nil.
-// Any directoy created will be set to provided uid/gid ownership
+// Any directory created will be set to provided uid/gid ownership
 // if doChown is true.
 func MkdirAll(path string, uid, gid int, doChown bool) error {
 	// Fast path: if we can tell whether path is a directory or file, stop with success or error.
--- a/backend/posix/posix.go
+++ b/backend/posix/posix.go
@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"math"
 	"os"
 	"path/filepath"
 	"sort"
@@ -79,6 +80,9 @@ const (
 	bucketLockKey       = "bucket-lock"
 	objectRetentionKey  = "object-retention"
 	objectLegalHoldKey  = "object-legal-hold"
+
+	doFalloc   = true
+	skipFalloc = false
 )

 type PosixOpts struct {
@@ -213,6 +217,18 @@ func (p *Posix) CreateBucket(ctx context.Context, input *s3.CreateBucketInput, a

 	err := os.Mkdir(bucket, defaultDirPerm)
 	if err != nil && os.IsExist(err) {
+		aclJSON, err := p.meta.RetrieveAttribute(bucket, "", aclkey)
+		if err != nil {
+			return fmt.Errorf("get bucket acl: %w", err)
+		}
+		var acl auth.ACL
+		if err := json.Unmarshal(aclJSON, &acl); err != nil {
+			return fmt.Errorf("unmarshal acl: %w", err)
+		}
+
+		if acl.Owner == acct.Access {
+			return s3err.GetAPIError(s3err.ErrBucketAlreadyOwnedByYou)
+		}
 		return s3err.GetAPIError(s3err.ErrBucketAlreadyExists)
 	}
 	if err != nil {
@@ -288,7 +304,7 @@ func (p *Posix) DeleteBucket(_ context.Context, input *s3.DeleteBucketInput) err
 	return nil
 }

-func (p *Posix) CreateMultipartUpload(_ context.Context, mpu *s3.CreateMultipartUploadInput) (*s3.CreateMultipartUploadOutput, error) {
+func (p *Posix) CreateMultipartUpload(ctx context.Context, mpu *s3.CreateMultipartUploadInput) (*s3.CreateMultipartUploadOutput, error) {
 	if mpu.Bucket == nil {
 		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
 	}
@@ -313,6 +329,23 @@ func (p *Posix) CreateMultipartUpload(_ context.Context, mpu *s3.CreateMultipart
 		return nil, s3err.GetAPIError(s3err.ErrDirectoryObjectContainsData)
 	}

+	// parse object tags
+	tagsStr := getString(mpu.Tagging)
+	tags := make(map[string]string)
+	if tagsStr != "" {
+		tagParts := strings.Split(tagsStr, "&")
+		for _, prt := range tagParts {
+			p := strings.Split(prt, "=")
+			if len(p) != 2 {
+				return nil, s3err.GetAPIError(s3err.ErrInvalidTag)
+			}
+			if len(p[0]) > 128 || len(p[1]) > 256 {
+				return nil, s3err.GetAPIError(s3err.ErrInvalidTag)
+			}
+			tags[p[0]] = p[1]
+		}
+	}
+
 	// generate random uuid for upload id
 	uploadID := uuid.New().String()
 	// hash object name for multipart container
@@ -340,10 +373,10 @@ func (p *Posix) CreateMultipartUpload(_ context.Context, mpu *s3.CreateMultipart
 		return nil, fmt.Errorf("set name attr for upload: %w", err)
 	}

-	// set user attrs
+	// set user metadata
 	for k, v := range mpu.Metadata {
 		err := p.meta.StoreAttribute(bucket, filepath.Join(objdir, uploadID),
-			k, []byte(v))
+			fmt.Sprintf("%v.%v", metaHdr, k), []byte(v))
 		if err != nil {
 			// cleanup object if returning error
 			os.RemoveAll(filepath.Join(tmppath, uploadID))
@@ -352,6 +385,60 @@ func (p *Posix) CreateMultipartUpload(_ context.Context, mpu *s3.CreateMultipart
 		}
 	}

+	// set object tagging
+	if tagsStr != "" {
+		err := p.PutObjectTagging(ctx, bucket, filepath.Join(objdir, uploadID), tags)
+		if err != nil {
+			// cleanup object if returning error
+			os.RemoveAll(filepath.Join(tmppath, uploadID))
+			os.Remove(tmppath)
+			return nil, err
+		}
+	}
+
+	// set content-type
+	if *mpu.ContentType != "" {
+		err := p.meta.StoreAttribute(bucket, filepath.Join(objdir, uploadID),
+			contentTypeHdr, []byte(*mpu.ContentType))
+		if err != nil {
+			// cleanup object if returning error
+			os.RemoveAll(filepath.Join(tmppath, uploadID))
+			os.Remove(tmppath)
+			return nil, fmt.Errorf("set content-type: %w", err)
+		}
+	}
+
+	// set object legal hold
+	if mpu.ObjectLockLegalHoldStatus == types.ObjectLockLegalHoldStatusOn {
+		if err := p.PutObjectLegalHold(ctx, bucket, filepath.Join(objdir, uploadID), "", true); err != nil {
+			// cleanup object if returning error
+			os.RemoveAll(filepath.Join(tmppath, uploadID))
+			os.Remove(tmppath)
+			return nil, err
+		}
+	}
+
+	// Set object retention
+	if mpu.ObjectLockMode != "" {
+		retention := types.ObjectLockRetention{
+			Mode:            types.ObjectLockRetentionMode(mpu.ObjectLockMode),
+			RetainUntilDate: mpu.ObjectLockRetainUntilDate,
+		}
+		retParsed, err := json.Marshal(retention)
+		if err != nil {
+			// cleanup object if returning error
+			os.RemoveAll(filepath.Join(tmppath, uploadID))
+			os.Remove(tmppath)
+			return nil, fmt.Errorf("parse object lock retention: %w", err)
+		}
+		if err := p.PutObjectRetention(ctx, bucket, filepath.Join(objdir, uploadID), "", true, retParsed); err != nil {
+			// cleanup object if returning error
+			os.RemoveAll(filepath.Join(tmppath, uploadID))
+			os.Remove(tmppath)
+			return nil, err
+		}
+	}
+
 	return &s3.CreateMultipartUploadOutput{
 		Bucket:   &bucket,
 		Key:      &object,
@@ -422,6 +509,10 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 	partsize := int64(0)
 	var totalsize int64
 	for i, part := range parts {
+		if part.PartNumber == nil || *part.PartNumber < 1 {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
+		}
+
 		partObjPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *part.PartNumber))
 		fullPartPath := filepath.Join(bucket, partObjPath)
 		fi, err := os.Lstat(fullPartPath)
@@ -443,13 +534,13 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 		if err != nil {
 			etag = ""
 		}
-		if etag != *parts[i].ETag {
+		if parts[i].ETag == nil || etag != *parts[i].ETag {
 			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
 		}
 	}

 	f, err := p.openTmpFile(filepath.Join(bucket, metaTmpDir), bucket, object,
-		totalsize, acct)
+		totalsize, acct, skipFalloc)
 	if err != nil {
 		if errors.Is(err, syscall.EDQUOT) {
 			return nil, s3err.GetAPIError(s3err.ErrQuotaExceeded)
@@ -459,13 +550,17 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 	defer f.cleanup()

 	for _, part := range parts {
+		if part.PartNumber == nil || *part.PartNumber < 1 {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
+		}
+
 		partObjPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *part.PartNumber))
 		fullPartPath := filepath.Join(bucket, partObjPath)
 		pf, err := os.Open(fullPartPath)
 		if err != nil {
 			return nil, fmt.Errorf("open part %v: %v", *part.PartNumber, err)
 		}
-		_, err = io.Copy(f, pf)
+		_, err = io.Copy(f.File(), pf)
 		pf.Close()
 		if err != nil {
 			if errors.Is(err, syscall.EDQUOT) {
@@ -477,7 +572,7 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM

 	userMetaData := make(map[string]string)
 	upiddir := filepath.Join(objdir, uploadID)
-	p.loadUserMetaData(bucket, objdir, userMetaData)
+	cType, _ := p.loadUserMetaData(bucket, upiddir, userMetaData)

 	objname := filepath.Join(bucket, object)
 	dir := filepath.Dir(objname)
@@ -494,7 +589,7 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 	}

 	for k, v := range userMetaData {
-		err = p.meta.StoreAttribute(bucket, object, k, []byte(v))
+		err = p.meta.StoreAttribute(bucket, object, fmt.Sprintf("%v.%v", metaHdr, k), []byte(v))
 		if err != nil {
 			// cleanup object if returning error
 			os.Remove(objname)
@@ -502,6 +597,54 @@ func (p *Posix) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteM
 		}
 	}

+	// load and set tagging
+	tagging, err := p.meta.RetrieveAttribute(bucket, upiddir, tagHdr)
+	if err == nil {
+		if err := p.meta.StoreAttribute(bucket, object, tagHdr, tagging); err != nil {
+			// cleanup object
+			os.Remove(objname)
+			return nil, fmt.Errorf("set object tagging: %w", err)
+		}
+	}
+	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
+		return nil, fmt.Errorf("get object tagging: %w", err)
+	}
+
+	// set content-type
+	if cType != "" {
+		if err := p.meta.StoreAttribute(bucket, object, contentTypeHdr, []byte(cType)); err != nil {
+			// cleanup object
+			os.Remove(objname)
+			return nil, fmt.Errorf("set object content type: %w", err)
+		}
+	}
+
+	// load and set legal hold
+	lHold, err := p.meta.RetrieveAttribute(bucket, upiddir, objectLegalHoldKey)
+	if err == nil {
+		if err := p.meta.StoreAttribute(bucket, object, objectLegalHoldKey, lHold); err != nil {
+			// cleanup object
+			os.Remove(objname)
+			return nil, fmt.Errorf("set object legal hold: %w", err)
+		}
+	}
+	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
+		return nil, fmt.Errorf("get object legal hold: %w", err)
+	}
+
+	// load and set retention
+	ret, err := p.meta.RetrieveAttribute(bucket, upiddir, objectRetentionKey)
+	if err == nil {
+		if err := p.meta.StoreAttribute(bucket, object, objectRetentionKey, ret); err != nil {
+			// cleanup object
+			os.Remove(objname)
+			return nil, fmt.Errorf("set object retention: %w", err)
+		}
+	}
+	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
+		return nil, fmt.Errorf("get object retention: %w", err)
+	}
+
 	// Calculate s3 compatible md5sum for complete multipart.
 	s3MD5 := backend.GetMultipartMD5(parts)

@@ -539,16 +682,16 @@ func (p *Posix) checkUploadIDExists(bucket, object, uploadID string) ([32]byte,
 	return sum, nil
 }

-func (p *Posix) retrieveUploadId(bucket, object string) (string, error) {
+func (p *Posix) retrieveUploadId(bucket, object string) (string, [32]byte, error) {
 	sum := sha256.Sum256([]byte(object))
 	objdir := filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum))

 	entries, err := os.ReadDir(objdir)
 	if err != nil || len(entries) == 0 {
-		return "", s3err.GetAPIError(s3err.ErrNoSuchKey)
+		return "", [32]byte{}, s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}

-	return entries[0].Name(), nil
+	return entries[0].Name(), sum, nil
 }

 // fll out the user metadata map with the metadata for the object
@@ -858,7 +1001,11 @@ func (p *Posix) ListParts(_ context.Context, input *s3.ListPartsInput) (s3respon

 	var parts []s3response.Part
 	for _, e := range ents {
-		pn, _ := strconv.Atoi(e.Name())
+		pn, err := strconv.Atoi(e.Name())
+		if err != nil {
+			// file is not a valid part file
+			continue
+		}
 		if pn <= partNumberMarker {
 			continue
 		}
@@ -958,7 +1105,7 @@ func (p *Posix) UploadPart(ctx context.Context, input *s3.UploadPartInput) (stri
 	partPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *part))

 	f, err := p.openTmpFile(filepath.Join(bucket, objdir),
-		bucket, partPath, length, acct)
+		bucket, partPath, length, acct, doFalloc)
 	if err != nil {
 		if errors.Is(err, syscall.EDQUOT) {
 			return "", s3err.GetAPIError(s3err.ErrQuotaExceeded)
@@ -1066,7 +1213,7 @@ func (p *Posix) UploadPartCopy(ctx context.Context, upi *s3.UploadPartCopyInput)
 	}

 	f, err := p.openTmpFile(filepath.Join(*upi.Bucket, objdir),
-		*upi.Bucket, partPath, length, acct)
+		*upi.Bucket, partPath, length, acct, doFalloc)
 	if err != nil {
 		if errors.Is(err, syscall.EDQUOT) {
 			return s3response.CopyObjectResult{}, s3err.GetAPIError(s3err.ErrQuotaExceeded)
@@ -1205,7 +1352,7 @@ func (p *Posix) PutObject(ctx context.Context, po *s3.PutObjectInput) (string, e
 	}

 	f, err := p.openTmpFile(filepath.Join(*po.Bucket, metaTmpDir),
-		*po.Bucket, *po.Key, contentLength, acct)
+		*po.Bucket, *po.Key, contentLength, acct, doFalloc)
 	if err != nil {
 		if errors.Is(err, syscall.EDQUOT) {
 			return "", s3err.GetAPIError(s3err.ErrQuotaExceeded)
@@ -1269,7 +1416,7 @@ func (p *Posix) PutObject(ctx context.Context, po *s3.PutObjectInput) (string, e
 		if err != nil {
 			return "", fmt.Errorf("parse object lock retention: %w", err)
 		}
-		if err := p.PutObjectRetention(ctx, *po.Bucket, *po.Key, "", retParsed); err != nil {
+		if err := p.PutObjectRetention(ctx, *po.Bucket, *po.Key, "", true, retParsed); err != nil {
 			return "", err
 		}
 	}
@@ -1435,7 +1582,7 @@ func (p *Posix) GetObject(_ context.Context, input *s3.GetObjectInput, writer io
 	}

 	if startOffset+length > objSize+1 {
-		return nil, s3err.GetAPIError(s3err.ErrInvalidRange)
+		length = objSize - startOffset + 1
 	}

 	var contentRange string
@@ -1536,6 +1683,46 @@ func (p *Posix) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.
 	bucket := *input.Bucket
 	object := *input.Key

+	if input.PartNumber != nil {
+		uploadId, sum, err := p.retrieveUploadId(bucket, object)
+		if err != nil {
+			return nil, err
+		}
+
+		ents, err := os.ReadDir(filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum), uploadId))
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("read parts: %w", err)
+		}
+
+		partPath := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum), uploadId, fmt.Sprintf("%v", *input.PartNumber))
+
+		part, err := os.Stat(filepath.Join(bucket, partPath))
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("stat part: %w", err)
+		}
+
+		b, err := p.meta.RetrieveAttribute(bucket, partPath, etagkey)
+		etag := string(b)
+		if err != nil {
+			etag = ""
+		}
+		partsCount := int32(len(ents))
+		size := part.Size()
+
+		return &s3.HeadObjectOutput{
+			LastModified:  backend.GetTimePtr(part.ModTime()),
+			ETag:          &etag,
+			PartsCount:    &partsCount,
+			ContentLength: &size,
+		}, nil
+	}
+
 	_, err := os.Stat(bucket)
 	if errors.Is(err, fs.ErrNotExist) {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchBucket)
@@ -1556,6 +1743,11 @@ func (p *Posix) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.
 	userMetaData := make(map[string]string)
 	contentType, contentEncoding := p.loadUserMetaData(bucket, object, userMetaData)

+	if fi.IsDir() {
+		// this is the media type for directories in AWS and Nextcloud
+		contentType = "application/x-directory"
+	}
+
 	b, err := p.meta.RetrieveAttribute(bucket, object, etagkey)
 	etag := string(b)
 	if err != nil {
@@ -1618,7 +1810,7 @@ func (p *Posix) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAttr
 		return s3response.GetObjectAttributesResult{}, err
 	}

-	uploadId, err := p.retrieveUploadId(*input.Bucket, *input.Key)
+	uploadId, _, err := p.retrieveUploadId(*input.Bucket, *input.Key)
 	if err != nil {
 		return s3response.GetObjectAttributesResult{}, err
 	}
@@ -1637,6 +1829,11 @@ func (p *Posix) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAttr
 	parts := []types.ObjectPart{}

 	for _, p := range resp.Parts {
+		if !(p.PartNumber > 0 && p.PartNumber <= math.MaxInt32) {
+			return s3response.GetObjectAttributesResult{},
+				s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+		}
+
 		partNumber := int32(p.PartNumber)
 		size := p.Size

@@ -2167,6 +2364,23 @@ func (p *Posix) PutObjectLockConfiguration(_ context.Context, bucket string, con
 		return fmt.Errorf("stat bucket: %w", err)
 	}

+	cfg, err := p.meta.RetrieveAttribute(bucket, "", bucketLockKey)
+	if errors.Is(err, meta.ErrNoSuchKey) {
+		return s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotAllowed)
+	}
+	if err != nil {
+		return fmt.Errorf("get object lock config: %w", err)
+	}
+
+	var bucketLockCfg auth.BucketLockConfig
+	if err := json.Unmarshal(cfg, &bucketLockCfg); err != nil {
+		return fmt.Errorf("unmarshal object lock config: %w", err)
+	}
+
+	if !bucketLockCfg.Enabled {
+		return s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotAllowed)
+	}
+
 	if err := p.meta.StoreAttribute(bucket, "", bucketLockKey, config); err != nil {
 		return fmt.Errorf("set object lock config: %w", err)
 	}
@@ -2263,7 +2477,7 @@ func (p *Posix) GetObjectLegalHold(_ context.Context, bucket, object, versionId
 	return &result, nil
 }

-func (p *Posix) PutObjectRetention(_ context.Context, bucket, object, versionId string, retention []byte) error {
+func (p *Posix) PutObjectRetention(_ context.Context, bucket, object, versionId string, bypass bool, retention []byte) error {
 	_, err := os.Stat(bucket)
 	if errors.Is(err, fs.ErrNotExist) {
 		return s3err.GetAPIError(s3err.ErrNoSuchBucket)
@@ -2289,11 +2503,38 @@ func (p *Posix) PutObjectRetention(_ context.Context, bucket, object, versionId
 		return s3err.GetAPIError(s3err.ErrInvalidBucketObjectLockConfiguration)
 	}

-	err = p.meta.StoreAttribute(bucket, object, objectRetentionKey, retention)
+	objectLockCfg, err := p.meta.RetrieveAttribute(bucket, object, objectRetentionKey)
 	if errors.Is(err, fs.ErrNotExist) {
 		return s3err.GetAPIError(s3err.ErrNoSuchKey)
 	}
+	if errors.Is(err, meta.ErrNoSuchKey) {
+		if err := p.meta.StoreAttribute(bucket, object, objectRetentionKey, retention); err != nil {
+			return fmt.Errorf("set object lock config: %w", err)
+		}
+
+		return nil
+	}
 	if err != nil {
+		return fmt.Errorf("get object lock config: %w", err)
+	}
+
+	var lockCfg types.ObjectLockRetention
+	if err := json.Unmarshal(objectLockCfg, &lockCfg); err != nil {
+		return fmt.Errorf("unmarshal object lock config: %w", err)
+	}
+
+	switch lockCfg.Mode {
+	// Compliance mode can't be overridden
+	case types.ObjectLockRetentionModeCompliance:
+		return s3err.GetAPIError(s3err.ErrMethodNotAllowed)
+	// To override governance mode user should have "s3:BypassGovernanceRetention" permission
+	case types.ObjectLockRetentionModeGovernance:
+		if !bypass {
+			return s3err.GetAPIError(s3err.ErrMethodNotAllowed)
+		}
+	}
+
+	if err := p.meta.StoreAttribute(bucket, object, objectRetentionKey, retention); err != nil {
 		return fmt.Errorf("set object lock config: %w", err)
 	}

--- a/backend/posix/with_otmpfile.go
+++ b/backend/posix/with_otmpfile.go
@@ -50,7 +50,7 @@ var (
 	defaultFilePerm uint32 = 0644
 )

-func (p *Posix) openTmpFile(dir, bucket, obj string, size int64, acct auth.Account) (*tmpfile, error) {
+func (p *Posix) openTmpFile(dir, bucket, obj string, size int64, acct auth.Account, dofalloc bool) (*tmpfile, error) {
 	uid, gid, doChown := p.getChownIDs(acct)

 	// O_TMPFILE allows for a file handle to an unnamed file in the filesystem.
@@ -81,7 +81,7 @@ func (p *Posix) openTmpFile(dir, bucket, obj string, size int64, acct auth.Accou
 			gid:        gid,
 		}
 		// falloc is best effort, its fine if this fails
-		if size > 0 {
+		if size > 0 && dofalloc {
 			tmp.falloc()
 		}

@@ -111,7 +111,7 @@ func (p *Posix) openTmpFile(dir, bucket, obj string, size int64, acct auth.Accou
 	}

 	// falloc is best effort, its fine if this fails
-	if size > 0 {
+	if size > 0 && dofalloc {
 		tmp.falloc()
 	}

@@ -221,3 +221,7 @@ func (tmp *tmpfile) Write(b []byte) (int, error) {
 func (tmp *tmpfile) cleanup() {
 	tmp.f.Close()
 }
+
+func (tmp *tmpfile) File() *os.File {
+	return tmp.f
+}
--- a/backend/posix/without_otmpfile.go
+++ b/backend/posix/without_otmpfile.go
@@ -36,7 +36,7 @@ type tmpfile struct {
 	size    int64
 }

-func (p *Posix) openTmpFile(dir, bucket, obj string, size int64, acct auth.Account) (*tmpfile, error) {
+func (p *Posix) openTmpFile(dir, bucket, obj string, size int64, acct auth.Account, _ bool) (*tmpfile, error) {
 	uid, gid, doChown := p.getChownIDs(acct)

 	// Create a temp file for upload while in progress (see link comments below).
@@ -112,3 +112,7 @@ func (tmp *tmpfile) Write(b []byte) (int, error) {
 func (tmp *tmpfile) cleanup() {
 	tmp.f.Close()
 }
+
+func (tmp *tmpfile) File() *os.File {
+	return tmp.f
+}
--- a/backend/s3proxy/client.go
+++ b/backend/s3proxy/client.go
@@ -33,6 +33,12 @@ func (s *S3Proxy) getClientWithCtx(ctx context.Context) (*s3.Client, error) {
 		return nil, err
 	}

+	if s.endpoint != "" {
+		return s3.NewFromConfig(cfg, func(o *s3.Options) {
+			o.BaseEndpoint = &s.endpoint
+		}), nil
+	}
+
 	return s3.NewFromConfig(cfg), nil
 }

@@ -50,11 +56,6 @@ func (s *S3Proxy) getConfig(ctx context.Context, access, secret string) (aws.Con
 		config.WithHTTPClient(client),
 	}

-	if s.endpoint != "" {
-		opts = append(opts,
-			config.WithEndpointResolverWithOptions(s))
-	}
-
 	if s.disableChecksum {
 		opts = append(opts,
 			config.WithAPIOptions([]func(*middleware.Stack) error{v4.SwapComputePayloadSHA256ForUnsignedPayloadMiddleware}))
@@ -67,13 +68,3 @@ func (s *S3Proxy) getConfig(ctx context.Context, access, secret string) (aws.Con

 	return config.LoadDefaultConfig(ctx, opts...)
 }
-
-// ResolveEndpoint is used for on prem or non-aws endpoints
-func (s *S3Proxy) ResolveEndpoint(service, region string, options ...interface{}) (aws.Endpoint, error) {
-	return aws.Endpoint{
-		PartitionID:       "aws",
-		URL:               s.endpoint,
-		SigningRegion:     s.awsRegion,
-		HostnameImmutable: true,
-	}, nil
-}
--- a/backend/s3proxy/s3.go
+++ b/backend/s3proxy/s3.go
@@ -530,17 +530,18 @@ func (s *S3Proxy) GetObjectLockConfiguration(ctx context.Context, bucket string)
 	return json.Marshal(config)
 }

-func (s *S3Proxy) PutObjectRetention(ctx context.Context, bucket, object, versionId string, retention []byte) error {
+func (s *S3Proxy) PutObjectRetention(ctx context.Context, bucket, object, versionId string, bypass bool, retention []byte) error {
 	ret, err := auth.ParseObjectLockRetentionOutput(retention)
 	if err != nil {
 		return err
 	}

 	_, err = s.client.PutObjectRetention(ctx, &s3.PutObjectRetentionInput{
-		Bucket:    &bucket,
-		Key:       &object,
-		VersionId: &versionId,
-		Retention: ret,
+		Bucket:                    &bucket,
+		Key:                       &object,
+		VersionId:                 &versionId,
+		Retention:                 ret,
+		BypassGovernanceRetention: &bypass,
 	})
 	return handleError(err)
 }
--- a/backend/scoutfs/scoutfs.go
+++ b/backend/scoutfs/scoutfs.go
@@ -26,12 +26,14 @@ import (
 	"path/filepath"
 	"strings"
 	"syscall"
+	"time"

 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/pkg/xattr"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/backend/meta"
 	"github.com/versity/versitygw/backend/posix"
 	"github.com/versity/versitygw/s3err"
 )
@@ -47,6 +49,9 @@ type ScoutFS struct {
 	rootfd  *os.File
 	rootdir string

+	// bucket/object metadata storage facility
+	meta meta.MetadataStorer
+
 	// glaciermode enables the following behavior:
 	// GET object:  if file offline, return invalid object state
 	// HEAD object: if file offline, set obj storage class to GLACIER
@@ -75,8 +80,13 @@ const (
 	metaTmpDir          = ".sgwtmp"
 	metaTmpMultipartDir = metaTmpDir + "/multipart"
 	tagHdr              = "X-Amz-Tagging"
+	metaHdr             = "X-Amz-Meta"
+	contentTypeHdr      = "content-type"
+	contentEncHdr       = "content-encoding"
 	emptyMD5            = "d41d8cd98f00b204e9800998ecf8427e"
-	etagkey             = "user.etag"
+	etagkey             = "etag"
+	objectRetentionKey  = "object-retention"
+	objectLegalHoldKey  = "object-legal-hold"
 )

 var (
@@ -87,11 +97,12 @@ var (

 const (
 	// ScoutFS special xattr types
-
 	systemPrefix = "scoutfs.hide."
 	onameAttr    = systemPrefix + "objname"
 	flagskey     = systemPrefix + "sam_flags"
 	stagecopykey = systemPrefix + "sam_stagereq"
+
+	fsBlocksize = 4096
 )

 const (
@@ -179,18 +190,20 @@ func (s *ScoutFS) CompleteMultipartUpload(ctx context.Context, input *s3.Complet
 		return nil, err
 	}

-	objdir := filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+	objdir := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum))

 	// check all parts ok
 	last := len(parts) - 1
 	partsize := int64(0)
 	var totalsize int64
-	for i, p := range parts {
-		if p.PartNumber == nil {
+	for i, part := range parts {
+		if part.PartNumber == nil || *part.PartNumber < 1 {
 			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
 		}
-		partPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *p.PartNumber))
-		fi, err := os.Lstat(partPath)
+
+		partObjPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *part.PartNumber))
+		fullPartPath := filepath.Join(bucket, partObjPath)
+		fi, err := os.Lstat(fullPartPath)
 		if err != nil {
 			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
 		}
@@ -198,23 +211,25 @@ func (s *ScoutFS) CompleteMultipartUpload(ctx context.Context, input *s3.Complet
 		if i == 0 {
 			partsize = fi.Size()
 		}
+
+		// partsize must be a multiple of the filesystem blocksize
+		// except for last part
+		if i < last && partsize%fsBlocksize != 0 {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
+		}
+
 		totalsize += fi.Size()
 		// all parts except the last need to be the same size
 		if i < last && partsize != fi.Size() {
 			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
 		}
-		// non-last part sizes need to be multiples of 4k for move blocks
-		// TODO: fallback to no move blocks if not 4k aligned?
-		if i == 0 && i < last && fi.Size()%4096 != 0 {
-			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
-		}

-		b, err := xattr.Get(partPath, "user.etag")
+		b, err := s.meta.RetrieveAttribute(bucket, partObjPath, etagkey)
 		etag := string(b)
 		if err != nil {
 			etag = ""
 		}
-		if etag != *parts[i].ETag {
+		if parts[i].ETag == nil || etag != *parts[i].ETag {
 			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
 		}
 	}
@@ -230,10 +245,16 @@ func (s *ScoutFS) CompleteMultipartUpload(ctx context.Context, input *s3.Complet
 	}
 	defer f.cleanup()

-	for _, p := range parts {
-		pf, err := os.Open(filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *p.PartNumber)))
+	for _, part := range parts {
+		if part.PartNumber == nil || *part.PartNumber < 1 {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
+		}
+
+		partObjPath := filepath.Join(objdir, uploadID, fmt.Sprintf("%v", *part.PartNumber))
+		fullPartPath := filepath.Join(bucket, partObjPath)
+		pf, err := os.Open(fullPartPath)
 		if err != nil {
-			return nil, fmt.Errorf("open part %v: %v", *p.PartNumber, err)
+			return nil, fmt.Errorf("open part %v: %v", *part.PartNumber, err)
 		}

 		// scoutfs move data is a metadata only operation that moves the data
@@ -242,13 +263,13 @@ func (s *ScoutFS) CompleteMultipartUpload(ctx context.Context, input *s3.Complet
 		err = moveData(pf, f.f)
 		pf.Close()
 		if err != nil {
-			return nil, fmt.Errorf("move blocks part %v: %v", *p.PartNumber, err)
+			return nil, fmt.Errorf("move blocks part %v: %v", *part.PartNumber, err)
 		}
 	}

 	userMetaData := make(map[string]string)
 	upiddir := filepath.Join(objdir, uploadID)
-	loadUserMetaData(upiddir, userMetaData)
+	cType, _ := s.loadUserMetaData(bucket, upiddir, userMetaData)

 	objname := filepath.Join(bucket, object)
 	dir := filepath.Dir(objname)
@@ -265,7 +286,7 @@ func (s *ScoutFS) CompleteMultipartUpload(ctx context.Context, input *s3.Complet
 	}

 	for k, v := range userMetaData {
-		err = xattr.Set(objname, "user."+k, []byte(v))
+		err = s.meta.StoreAttribute(bucket, object, fmt.Sprintf("%v.%v", metaHdr, k), []byte(v))
 		if err != nil {
 			// cleanup object if returning error
 			os.Remove(objname)
@@ -273,10 +294,58 @@ func (s *ScoutFS) CompleteMultipartUpload(ctx context.Context, input *s3.Complet
 		}
 	}

+	// load and set tagging
+	tagging, err := s.meta.RetrieveAttribute(bucket, upiddir, tagHdr)
+	if err == nil {
+		if err := s.meta.StoreAttribute(bucket, object, tagHdr, tagging); err != nil {
+			// cleanup object
+			os.Remove(objname)
+			return nil, fmt.Errorf("set object tagging: %w", err)
+		}
+	}
+	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
+		return nil, fmt.Errorf("get object tagging: %w", err)
+	}
+
+	// set content-type
+	if cType != "" {
+		if err := s.meta.StoreAttribute(bucket, object, contentTypeHdr, []byte(cType)); err != nil {
+			// cleanup object
+			os.Remove(objname)
+			return nil, fmt.Errorf("set object content type: %w", err)
+		}
+	}
+
+	// load and set legal hold
+	lHold, err := s.meta.RetrieveAttribute(bucket, upiddir, objectLegalHoldKey)
+	if err == nil {
+		if err := s.meta.StoreAttribute(bucket, object, objectLegalHoldKey, lHold); err != nil {
+			// cleanup object
+			os.Remove(objname)
+			return nil, fmt.Errorf("set object legal hold: %w", err)
+		}
+	}
+	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
+		return nil, fmt.Errorf("get object legal hold: %w", err)
+	}
+
+	// load and set retention
+	ret, err := s.meta.RetrieveAttribute(bucket, upiddir, objectRetentionKey)
+	if err == nil {
+		if err := s.meta.StoreAttribute(bucket, object, objectRetentionKey, ret); err != nil {
+			// cleanup object
+			os.Remove(objname)
+			return nil, fmt.Errorf("set object retention: %w", err)
+		}
+	}
+	if err != nil && !errors.Is(err, meta.ErrNoSuchKey) {
+		return nil, fmt.Errorf("get object retention: %w", err)
+	}
+
 	// Calculate s3 compatible md5sum for complete multipart.
 	s3MD5 := backend.GetMultipartMD5(parts)

-	err = xattr.Set(objname, "user.etag", []byte(s3MD5))
+	err = s.meta.StoreAttribute(bucket, object, etagkey, []byte(s3MD5))
 	if err != nil {
 		// cleanup object if returning error
 		os.Remove(objname)
@@ -310,61 +379,104 @@ func (s *ScoutFS) checkUploadIDExists(bucket, object, uploadID string) ([32]byte
 	return sum, nil
 }

-func loadUserMetaData(path string, m map[string]string) (contentType, contentEncoding string) {
-	ents, err := xattr.List(path)
+// fll out the user metadata map with the metadata for the object
+// and return the content type and encoding
+func (s *ScoutFS) loadUserMetaData(bucket, object string, m map[string]string) (string, string) {
+	ents, err := s.meta.ListAttributes(bucket, object)
 	if err != nil || len(ents) == 0 {
-		return
+		return "", ""
 	}
 	for _, e := range ents {
 		if !isValidMeta(e) {
 			continue
 		}
-		b, err := xattr.Get(path, e)
-		if err == errNoData {
-			m[strings.TrimPrefix(e, "user.")] = ""
-			continue
-		}
+		b, err := s.meta.RetrieveAttribute(bucket, object, e)
 		if err != nil {
 			continue
 		}
-		m[strings.TrimPrefix(e, "user.")] = string(b)
+		if b == nil {
+			m[strings.TrimPrefix(e, fmt.Sprintf("%v.", metaHdr))] = ""
+			continue
+		}
+		m[strings.TrimPrefix(e, fmt.Sprintf("%v.", metaHdr))] = string(b)
 	}

-	b, err := xattr.Get(path, "user.content-type")
+	var contentType, contentEncoding string
+	b, _ := s.meta.RetrieveAttribute(bucket, object, contentTypeHdr)
 	contentType = string(b)
-	if err != nil {
-		contentType = ""
-	}
 	if contentType != "" {
-		m["content-type"] = contentType
+		m[contentTypeHdr] = contentType
 	}

-	b, err = xattr.Get(path, "user.content-encoding")
+	b, _ = s.meta.RetrieveAttribute(bucket, object, contentEncHdr)
 	contentEncoding = string(b)
-	if err != nil {
-		contentEncoding = ""
-	}
 	if contentEncoding != "" {
-		m["content-encoding"] = contentEncoding
+		m[contentEncHdr] = contentEncoding
 	}

-	return
+	return contentType, contentEncoding
 }

 func isValidMeta(val string) bool {
-	if strings.HasPrefix(val, "user.X-Amz-Meta") {
+	if strings.HasPrefix(val, metaHdr) {
 		return true
 	}
-	if strings.EqualFold(val, "user.Expires") {
+	if strings.EqualFold(val, "Expires") {
 		return true
 	}
 	return false
 }

-func (s *ScoutFS) HeadObject(_ context.Context, input *s3.HeadObjectInput) (*s3.HeadObjectOutput, error) {
+func (s *ScoutFS) HeadObject(ctx context.Context, input *s3.HeadObjectInput) (*s3.HeadObjectOutput, error) {
+	if input.Bucket == nil {
+		return nil, s3err.GetAPIError(s3err.ErrInvalidBucketName)
+	}
+	if input.Key == nil {
+		return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+	}
 	bucket := *input.Bucket
 	object := *input.Key

+	if input.PartNumber != nil {
+		uploadId, sum, err := s.retrieveUploadId(bucket, object)
+		if err != nil {
+			return nil, err
+		}
+
+		ents, err := os.ReadDir(filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum), uploadId))
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil, s3err.GetAPIError(s3err.ErrNoSuchKey)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("read parts: %w", err)
+		}
+
+		partPath := filepath.Join(metaTmpMultipartDir, fmt.Sprintf("%x", sum), uploadId, fmt.Sprintf("%v", *input.PartNumber))
+
+		part, err := os.Stat(filepath.Join(bucket, partPath))
+		if errors.Is(err, fs.ErrNotExist) {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidPart)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("stat part: %w", err)
+		}
+
+		b, err := s.meta.RetrieveAttribute(bucket, partPath, etagkey)
+		etag := string(b)
+		if err != nil {
+			etag = ""
+		}
+		partsCount := int32(len(ents))
+		size := part.Size()
+
+		return &s3.HeadObjectOutput{
+			LastModified:  backend.GetTimePtr(part.ModTime()),
+			ETag:          &etag,
+			PartsCount:    &partsCount,
+			ContentLength: &size,
+		}, nil
+	}
+
 	_, err := os.Stat(bucket)
 	if errors.Is(err, fs.ErrNotExist) {
 		return nil, s3err.GetAPIError(s3err.ErrNoSuchBucket)
@@ -383,9 +495,14 @@ func (s *ScoutFS) HeadObject(_ context.Context, input *s3.HeadObjectInput) (*s3.
 	}

 	userMetaData := make(map[string]string)
-	contentType, contentEncoding := loadUserMetaData(objPath, userMetaData)
+	contentType, contentEncoding := s.loadUserMetaData(bucket, object, userMetaData)

-	b, err := xattr.Get(objPath, etagkey)
+	if fi.IsDir() {
+		// this is the media type for directories in AWS and Nextcloud
+		contentType = "application/x-directory"
+	}
+
+	b, err := s.meta.RetrieveAttribute(bucket, object, etagkey)
 	etag := string(b)
 	if err != nil {
 		etag = ""
@@ -424,18 +541,54 @@ func (s *ScoutFS) HeadObject(_ context.Context, input *s3.HeadObjectInput) (*s3.

 	contentLength := fi.Size()

+	var objectLockLegalHoldStatus types.ObjectLockLegalHoldStatus
+	status, err := s.Posix.GetObjectLegalHold(ctx, bucket, object, "")
+	if err == nil {
+		if *status {
+			objectLockLegalHoldStatus = types.ObjectLockLegalHoldStatusOn
+		} else {
+			objectLockLegalHoldStatus = types.ObjectLockLegalHoldStatusOff
+		}
+	}
+
+	var objectLockMode types.ObjectLockMode
+	var objectLockRetainUntilDate *time.Time
+	retention, err := s.Posix.GetObjectRetention(ctx, bucket, object, "")
+	if err == nil {
+		var config types.ObjectLockRetention
+		if err := json.Unmarshal(retention, &config); err == nil {
+			objectLockMode = types.ObjectLockMode(config.Mode)
+			objectLockRetainUntilDate = config.RetainUntilDate
+		}
+	}
+
 	return &s3.HeadObjectOutput{
-		ContentLength:   &contentLength,
-		ContentType:     &contentType,
-		ContentEncoding: &contentEncoding,
-		ETag:            &etag,
-		LastModified:    backend.GetTimePtr(fi.ModTime()),
-		Metadata:        userMetaData,
-		StorageClass:    stclass,
-		Restore:         &requestOngoing,
+		ContentLength:             &contentLength,
+		ContentType:               &contentType,
+		ContentEncoding:           &contentEncoding,
+		ETag:                      &etag,
+		LastModified:              backend.GetTimePtr(fi.ModTime()),
+		Metadata:                  userMetaData,
+		StorageClass:              stclass,
+		Restore:                   &requestOngoing,
+		ObjectLockLegalHoldStatus: objectLockLegalHoldStatus,
+		ObjectLockMode:            objectLockMode,
+		ObjectLockRetainUntilDate: objectLockRetainUntilDate,
 	}, nil
 }

+func (s *ScoutFS) retrieveUploadId(bucket, object string) (string, [32]byte, error) {
+	sum := sha256.Sum256([]byte(object))
+	objdir := filepath.Join(bucket, metaTmpMultipartDir, fmt.Sprintf("%x", sum))
+
+	entries, err := os.ReadDir(objdir)
+	if err != nil || len(entries) == 0 {
+		return "", [32]byte{}, s3err.GetAPIError(s3err.ErrNoSuchKey)
+	}
+
+	return entries[0].Name(), sum, nil
+}
+
 func (s *ScoutFS) GetObject(_ context.Context, input *s3.GetObjectInput, writer io.Writer) (*s3.GetObjectOutput, error) {
 	bucket := *input.Bucket
 	object := *input.Key
@@ -515,9 +668,9 @@ func (s *ScoutFS) GetObject(_ context.Context, input *s3.GetObjectInput, writer

 	userMetaData := make(map[string]string)

-	contentType, contentEncoding := loadUserMetaData(objPath, userMetaData)
+	contentType, contentEncoding := s.loadUserMetaData(bucket, object, userMetaData)

-	b, err := xattr.Get(objPath, etagkey)
+	b, err := s.meta.RetrieveAttribute(bucket, object, etagkey)
 	etag := string(b)
 	if err != nil {
 		etag = ""
@@ -671,14 +824,11 @@ func (s *ScoutFS) fileToObj(bucket string) backend.GetObjFunc {
 		if d.IsDir() {
 			// directory object only happens if directory empty
 			// check to see if this is a directory object by checking etag
-			etagBytes, err := xattr.Get(objPath, etagkey)
-			if isNoAttr(err) || errors.Is(err, fs.ErrNotExist) {
-				return types.Object{}, backend.ErrSkipObj
-			}
+			b, err := s.meta.RetrieveAttribute(bucket, path, etagkey)
 			if err != nil {
 				return types.Object{}, fmt.Errorf("get etag: %w", err)
 			}
-			etag := string(etagBytes)
+			etag := string(b)

 			fi, err := d.Info()
 			if errors.Is(err, fs.ErrNotExist) {
@@ -698,14 +848,14 @@ func (s *ScoutFS) fileToObj(bucket string) backend.GetObjFunc {
 		}

 		// file object, get object info and fill out object data
-		etagBytes, err := xattr.Get(objPath, etagkey)
+		b, err := s.meta.RetrieveAttribute(bucket, path, etagkey)
 		if errors.Is(err, fs.ErrNotExist) {
 			return types.Object{}, backend.ErrSkipObj
 		}
-		if err != nil && !isNoAttr(err) {
+		if err != nil {
 			return types.Object{}, fmt.Errorf("get etag: %w", err)
 		}
-		etag := string(etagBytes)
+		etag := string(b)

 		fi, err := d.Info()
 		if errors.Is(err, fs.ErrNotExist) {
--- a/backend/scoutfs/scoutfs_compat.go
+++ b/backend/scoutfs/scoutfs_compat.go
@@ -23,7 +23,6 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
-	"syscall"

 	"golang.org/x/sys/unix"

@@ -35,7 +34,9 @@ import (
 )

 func New(rootdir string, opts ScoutfsOpts) (*ScoutFS, error) {
-	p, err := posix.New(rootdir, meta.XattrMeta{}, posix.PosixOpts{
+	metastore := meta.XattrMeta{}
+
+	p, err := posix.New(rootdir, metastore, posix.PosixOpts{
 		ChownUID: opts.ChownUID,
 		ChownGID: opts.ChownGID,
 	})
@@ -52,6 +53,7 @@ func New(rootdir string, opts ScoutfsOpts) (*ScoutFS, error) {
 		Posix:    p,
 		rootfd:   f,
 		rootdir:  rootdir,
+		meta:     metastore,
 		chownuid: opts.ChownUID,
 		chowngid: opts.ChownGID,
 	}, nil
@@ -100,11 +102,6 @@ func (s *ScoutFS) openTmpFile(dir, bucket, obj string, size int64, acct auth.Acc
 		gid:        gid,
 	}

-	// falloc is best effort, its fine if this fails
-	if size > 0 {
-		tmp.falloc()
-	}
-
 	if doChown {
 		err := f.Chown(uid, gid)
 		if err != nil {
@@ -115,14 +112,6 @@ func (s *ScoutFS) openTmpFile(dir, bucket, obj string, size int64, acct auth.Acc
 	return tmp, nil
 }

-func (tmp *tmpfile) falloc() error {
-	err := syscall.Fallocate(int(tmp.f.Fd()), 0, 0, tmp.size)
-	if err != nil {
-		return fmt.Errorf("fallocate: %v", err)
-	}
-	return nil
-}
-
 func (tmp *tmpfile) link() error {
 	// We use Linkat/Rename as the atomic operation for object puts. The
 	// upload is written to a temp (or unnamed/O_TMPFILE) file to not conflict
--- a/cmd/versitygw/admin.go
+++ b/cmd/versitygw/admin.go
@@ -80,11 +80,6 @@ func adminCommand() *cli.Command {
 						Usage:   "groupID for the new user",
 						Aliases: []string{"gi"},
 					},
-					&cli.IntFlag{
-						Name:    "project-id",
-						Usage:   "projectID for the new user",
-						Aliases: []string{"pi"},
-					},
 				},
 			},
 			{
@@ -176,21 +171,20 @@ func initHTTPClient() *http.Client {

 func createUser(ctx *cli.Context) error {
 	access, secret, role := ctx.String("access"), ctx.String("secret"), ctx.String("role")
-	userID, groupID, projectID := ctx.Int("user-id"), ctx.Int("group-id"), ctx.Int("projectID")
+	userID, groupID := ctx.Int("user-id"), ctx.Int("group-id")
 	if access == "" || secret == "" {
-		return fmt.Errorf("invalid input parameters for the new user")
+		return fmt.Errorf("invalid input parameters for the new user access/secret keys")
 	}
 	if role != string(auth.RoleAdmin) && role != string(auth.RoleUser) && role != string(auth.RoleUserPlus) {
 		return fmt.Errorf("invalid input parameter for role: %v", role)
 	}

 	acc := auth.Account{
-		Access:    access,
-		Secret:    secret,
-		Role:      auth.Role(role),
-		UserID:    userID,
-		GroupID:   groupID,
-		ProjectID: projectID,
+		Access:  access,
+		Secret:  secret,
+		Role:    auth.Role(role),
+		UserID:  userID,
+		GroupID: groupID,
 	}

 	accJson, err := json.Marshal(acc)
@@ -240,7 +234,7 @@ func createUser(ctx *cli.Context) error {
 func deleteUser(ctx *cli.Context) error {
 	access := ctx.String("access")
 	if access == "" {
-		return fmt.Errorf("invalid input parameter for the new user")
+		return fmt.Errorf("invalid input parameter for the user access key")
 	}

 	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%v/delete-user?access=%v", adminEndpoint, access), nil)
@@ -339,10 +333,10 @@ const (
 func printAcctTable(accs []auth.Account) {
 	w := new(tabwriter.Writer)
 	w.Init(os.Stdout, minwidth, tabwidth, padding, padchar, flags)
-	fmt.Fprintln(w, "Account\tRole\tUserID\tGroupID\tProjectID")
-	fmt.Fprintln(w, "-------\t----\t------\t-------\t---------")
+	fmt.Fprintln(w, "Account\tRole\tUserID\tGroupID")
+	fmt.Fprintln(w, "-------\t----\t------\t-------")
 	for _, acc := range accs {
-		fmt.Fprintf(w, "%v\t%v\t%v\t%v\t%v\n", acc.Access, acc.Role, acc.UserID, acc.GroupID, acc.ProjectID)
+		fmt.Fprintf(w, "%v\t%v\t%v\t%v\n", acc.Access, acc.Role, acc.UserID, acc.GroupID)
 	}
 	fmt.Fprintln(w)
 	w.Flush()
--- a/cmd/versitygw/main.go
+++ b/cmd/versitygw/main.go
@@ -27,6 +27,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api"
 	"github.com/versity/versitygw/s3api/middlewares"
 	"github.com/versity/versitygw/s3event"
@@ -34,33 +35,42 @@ import (
 )

 var (
-	port, admPort                          string
-	rootUserAccess                         string
-	rootUserSecret                         string
-	region                                 string
-	admCertFile, admKeyFile                string
-	certFile, keyFile                      string
-	kafkaURL, kafkaTopic, kafkaKey         string
-	natsURL, natsTopic                     string
-	eventWebhookURL                        string
-	eventConfigFilePath                    string
-	logWebhookURL                          string
-	accessLog                              string
-	healthPath                             string
-	debug                                  bool
-	pprof                                  string
-	quiet                                  bool
-	iamDir                                 string
-	ldapURL, ldapBindDN, ldapPassword      string
-	ldapQueryBase, ldapObjClasses          string
-	ldapAccessAtr, ldapSecAtr, ldapRoleAtr string
-	s3IamAccess, s3IamSecret               string
-	s3IamRegion, s3IamBucket               string
-	s3IamEndpoint                          string
-	s3IamSslNoVerify, s3IamDebug           bool
-	iamCacheDisable                        bool
-	iamCacheTTL                            int
-	iamCachePrune                          int
+	port, admPort                            string
+	rootUserAccess                           string
+	rootUserSecret                           string
+	region                                   string
+	admCertFile, admKeyFile                  string
+	certFile, keyFile                        string
+	kafkaURL, kafkaTopic, kafkaKey           string
+	natsURL, natsTopic                       string
+	eventWebhookURL                          string
+	eventConfigFilePath                      string
+	logWebhookURL                            string
+	accessLog                                string
+	healthPath                               string
+	debug                                    bool
+	pprof                                    string
+	quiet                                    bool
+	readonly                                 bool
+	iamDir                                   string
+	ldapURL, ldapBindDN, ldapPassword        string
+	ldapQueryBase, ldapObjClasses            string
+	ldapAccessAtr, ldapSecAtr, ldapRoleAtr   string
+	vaultEndpointURL, vaultSecretStoragePath string
+	vaultMountPath, vaultRootToken           string
+	vaultRoleId, vaultRoleSecret             string
+	vaultServerCert, vaultClientCert         string
+	vaultClientCertKey                       string
+	s3IamAccess, s3IamSecret                 string
+	s3IamRegion, s3IamBucket                 string
+	s3IamEndpoint                            string
+	s3IamSslNoVerify, s3IamDebug             bool
+	iamCacheDisable                          bool
+	iamCacheTTL                              int
+	iamCachePrune                            int
+	metricsService                           string
+	statsdServers                            string
+	dogstatsServers                          string
 )

 var (
@@ -321,6 +331,60 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_IAM_LDAP_ROLE_ATR"},
 			Destination: &ldapRoleAtr,
 		},
+		&cli.StringFlag{
+			Name:        "iam-vault-endpoint-url",
+			Usage:       "vault server url",
+			EnvVars:     []string{"VGW_IAM_VAULT_ENDPOINT_URL"},
+			Destination: &vaultEndpointURL,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-secret-storage-path",
+			Usage:       "vault server secret storage path",
+			EnvVars:     []string{"VGW_IAM_VAULT_SECRET_STORAGE_PATH"},
+			Destination: &vaultSecretStoragePath,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-mount-path",
+			Usage:       "vault server mount path",
+			EnvVars:     []string{"VGW_IAM_VAULT_MOUNT_PATH"},
+			Destination: &vaultMountPath,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-root-token",
+			Usage:       "vault server root token",
+			EnvVars:     []string{"VGW_IAM_VAULT_ROOT_TOKEN"},
+			Destination: &vaultRootToken,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-role-id",
+			Usage:       "vault server user role id",
+			EnvVars:     []string{"VGW_IAM_VAULT_ROLE_ID"},
+			Destination: &vaultRoleId,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-role-secret",
+			Usage:       "vault server user role secret",
+			EnvVars:     []string{"VGW_IAM_VAULT_ROLE_SECRET"},
+			Destination: &vaultRoleSecret,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-server_cert",
+			Usage:       "vault server TLS certificate",
+			EnvVars:     []string{"VGW_IAM_VAULT_SERVER_CERT"},
+			Destination: &vaultServerCert,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-client_cert",
+			Usage:       "vault client TLS certificate",
+			EnvVars:     []string{"VGW_IAM_VAULT_CLIENT_CERT"},
+			Destination: &vaultClientCert,
+		},
+		&cli.StringFlag{
+			Name:        "iam-vault-client_cert_key",
+			Usage:       "vault client TLS certificate key",
+			EnvVars:     []string{"VGW_IAM_VAULT_CLIENT_CERT_KEY"},
+			Destination: &vaultClientCertKey,
+		},
 		&cli.StringFlag{
 			Name:        "s3-iam-access",
 			Usage:       "s3 IAM access key",
@@ -391,6 +455,33 @@ func initFlags() []cli.Flag {
 			EnvVars:     []string{"VGW_HEALTH"},
 			Destination: &healthPath,
 		},
+		&cli.BoolFlag{
+			Name:        "readonly",
+			Usage:       "allow only read operations across all the gateway",
+			EnvVars:     []string{"VGW_READ_ONLY"},
+			Destination: &readonly,
+		},
+		&cli.StringFlag{
+			Name:        "metrics-service-name",
+			Usage:       "service name tag for metrics, hostname if blank",
+			EnvVars:     []string{"VGW_METRICS_SERVICE_NAME"},
+			Aliases:     []string{"msn"},
+			Destination: &metricsService,
+		},
+		&cli.StringFlag{
+			Name:        "metrics-statsd-servers",
+			Usage:       "StatsD server urls comma separated. e.g. 'statsd1.example.com:8125,statsd2.example.com:8125'",
+			EnvVars:     []string{"VGW_METRICS_STATSD_SERVERS"},
+			Aliases:     []string{"mss"},
+			Destination: &statsdServers,
+		},
+		&cli.StringFlag{
+			Name:        "metrics-dogstatsd-servers",
+			Usage:       "DogStatsD server urls comma separated. e.g. '127.0.0.1:8125,dogstats.example.com:8125'",
+			EnvVars:     []string{"VGW_METRICS_DOGSTATS_SERVERS"},
+			Aliases:     []string{"mds"},
+			Destination: &dogstatsServers,
+		},
 	}
 }

@@ -442,6 +533,9 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 	if healthPath != "" {
 		opts = append(opts, s3api.WithHealth(healthPath))
 	}
+	if readonly {
+		opts = append(opts, s3api.WithReadOnly())
+	}

 	admApp := fiber.New(fiber.Config{
 		AppName:      "versitygw",
@@ -466,25 +560,34 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 	}

 	iam, err := auth.New(&auth.Opts{
-		Dir:                iamDir,
-		LDAPServerURL:      ldapURL,
-		LDAPBindDN:         ldapBindDN,
-		LDAPPassword:       ldapPassword,
-		LDAPQueryBase:      ldapQueryBase,
-		LDAPObjClasses:     ldapObjClasses,
-		LDAPAccessAtr:      ldapAccessAtr,
-		LDAPSecretAtr:      ldapSecAtr,
-		LDAPRoleAtr:        ldapRoleAtr,
-		S3Access:           s3IamAccess,
-		S3Secret:           s3IamSecret,
-		S3Region:           s3IamRegion,
-		S3Bucket:           s3IamBucket,
-		S3Endpoint:         s3IamEndpoint,
-		S3DisableSSlVerfiy: s3IamSslNoVerify,
-		S3Debug:            s3IamDebug,
-		CacheDisable:       iamCacheDisable,
-		CacheTTL:           iamCacheTTL,
-		CachePrune:         iamCachePrune,
+		Dir:                    iamDir,
+		LDAPServerURL:          ldapURL,
+		LDAPBindDN:             ldapBindDN,
+		LDAPPassword:           ldapPassword,
+		LDAPQueryBase:          ldapQueryBase,
+		LDAPObjClasses:         ldapObjClasses,
+		LDAPAccessAtr:          ldapAccessAtr,
+		LDAPSecretAtr:          ldapSecAtr,
+		LDAPRoleAtr:            ldapRoleAtr,
+		VaultEndpointURL:       vaultEndpointURL,
+		VaultSecretStoragePath: vaultSecretStoragePath,
+		VaultMountPath:         vaultMountPath,
+		VaultRootToken:         vaultRootToken,
+		VaultRoleId:            vaultRoleId,
+		VaultRoleSecret:        vaultRoleSecret,
+		VaultServerCert:        vaultServerCert,
+		VaultClientCert:        vaultClientCert,
+		VaultClientCertKey:     vaultClientCertKey,
+		S3Access:               s3IamAccess,
+		S3Secret:               s3IamSecret,
+		S3Region:               s3IamRegion,
+		S3Bucket:               s3IamBucket,
+		S3Endpoint:             s3IamEndpoint,
+		S3DisableSSlVerfiy:     s3IamSslNoVerify,
+		S3Debug:                s3IamDebug,
+		CacheDisable:           iamCacheDisable,
+		CacheTTL:               iamCacheTTL,
+		CachePrune:             iamCachePrune,
 	})
 	if err != nil {
 		return fmt.Errorf("setup iam: %w", err)
@@ -498,6 +601,15 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 		return fmt.Errorf("setup logger: %w", err)
 	}

+	metricsManager, err := metrics.NewManager(ctx, metrics.Config{
+		ServiceName:      metricsService,
+		StatsdServers:    statsdServers,
+		DogStatsdServers: dogstatsServers,
+	})
+	if err != nil {
+		return fmt.Errorf("init metrics manager: %w", err)
+	}
+
 	evSender, err := s3event.InitEventSender(&s3event.EventConfig{
 		KafkaURL:             kafkaURL,
 		KafkaTopic:           kafkaTopic,
@@ -514,7 +626,7 @@ func runGateway(ctx context.Context, be backend.Backend) error {
 	srv, err := s3api.New(app, be, middlewares.RootUserConfig{
 		Access: rootUserAccess,
 		Secret: rootUserSecret,
-	}, port, region, iam, logger, evSender, opts...)
+	}, port, region, iam, logger, evSender, metricsManager, opts...)
 	if err != nil {
 		return fmt.Errorf("init gateway: %v", err)
 	}
@@ -577,5 +689,9 @@ Loop:
 		}
 	}

+	if metricsManager != nil {
+		metricsManager.Close()
+	}
+
 	return saveErr
 }
--- a/cmd/versitygw/utils.go
+++ b/cmd/versitygw/utils.go
@@ -71,7 +71,7 @@ func generateEventFiltersConfig(ctx *cli.Context) error {
 		s3event.EventObjectRestoreCompleted:     true,
 	}

-	configBytes, err := json.Marshal(config)
+	configBytes, err := json.MarshalIndent(config, "", "  ")
 	if err != nil {
 		return fmt.Errorf("parse event config: %w", err)
 	}
--- a/extra/example.conf
+++ b/extra/example.conf
@@ -153,6 +153,14 @@ ROOT_SECRET_ACCESS_KEY=
 # specified, all configured bucket events will be sent to the webhook.
 #VGW_EVENT_WEBHOOK_URL=

+# Bucket events can be filtered for any of the above event types. The
+# VGW_EVENT_FILTER option specifies a config file that contains the event
+# filter rules. The event filter rules are used to determine which events are
+# sent to the configured event services. Run:
+# versitygw utils gen-event-filter-config --path .
+# to generate a default rules file "event_config.json" in the current directory.
+#VGW_EVENT_FILTER=
+
 #######################
 # Debug / Diagnostics #
 #######################
@@ -182,20 +190,25 @@ ROOT_SECRET_ACCESS_KEY=
 # as a dedicated IAM service.
 #VGW_IAM_DIR=

-# The ldap options will enable the LDAP IAM service with accounts stored in an
-# external LDAP service. The VGW_IAM_LDAP_ACCESS_ATR, VGW_IAM_LDAP_SECRET_ATR,
-# and VGW_IAM_LDAP_ROLE_ATR define the LDAP attributes that map to access,
-# secret credentials and role respectively. The other options are used to
-# connect to the LDAP service.
-#VGW_IAM_LDAP_URL=
-#VGW_IAM_LDAP_BASE_DN=
-#VGW_IAM_LDAP_BIND_DN=
-#VGW_IAM_LDAP_BIND_PASS=
-#VGW_IAM_LDAP_QUERY_BASE=
-#VGW_IAM_LDAP_OBJECT_CLASSES=
-#VGW_IAM_LDAP_ACCESS_ATR=
-#VGW_IAM_LDAP_SECRET_ATR=
-#VGW_IAM_LDAP_ROLE_ATR=
+# The Vault options will enable the Vault IAM service with accounts stored in
+# the HashiCorp Vault service. The Vault URL is the address and port of the
+# Vault server with the format <IP/host>:<port>. A root taken can be used for
+# testing, but it is recommended to use the role based authentication in
+# production. The Vault server certificate, client certificate, and client
+# certificate key are optional, and will default to not verifying the server
+# certificate and not using client certificates. The Vault server certificate
+# is used to verify the Vault server, and the client certificate and key are
+# used to authenticate the gateway to the Vault server. See wiki documentation
+# for an example of using Vault in dev mode with the gateway.
+#VGW_IAM_VAULT_ENDPOINT_URL=
+#VGW_IAM_VAULT_SECRET_STORAGE_PATH=
+#VGW_IAM_VAULT_MOUNT_PATH=
+#VGW_IAM_VAULT_ROOT_TOKEN=
+#VGW_IAM_VAULT_ROLE_ID=
+#VGW_IAM_VAULT_ROLE_SECRET=
+#VGW_IAM_VAULT_SERVER_CERT=
+#VGW_IAM_VAULT_CLIENT_CERT=
+#VGW_IAM_VAULT_CLIENT_CERT_KEY=

 # The VGW_S3 IAM service is similar to the internal IAM service, but instead
 # stores the account information JSON encoded in an S3 object. This should use
@@ -210,6 +223,21 @@ ROOT_SECRET_ACCESS_KEY=
 #VGW_S3_IAM_BUCKET=
 #VGW_S3_IAM_NO_VERIFY=

+# The LDAP options will enable the LDAP IAM service with accounts stored in an
+# external LDAP service. The VGW_IAM_LDAP_ACCESS_ATR, VGW_IAM_LDAP_SECRET_ATR,
+# and VGW_IAM_LDAP_ROLE_ATR define the LDAP attributes that map to access,
+# secret credentials and role respectively. The other options are used to
+# connect to the LDAP service.
+#VGW_IAM_LDAP_URL=
+#VGW_IAM_LDAP_BASE_DN=
+#VGW_IAM_LDAP_BIND_DN=
+#VGW_IAM_LDAP_BIND_PASS=
+#VGW_IAM_LDAP_QUERY_BASE=
+#VGW_IAM_LDAP_OBJECT_CLASSES=
+#VGW_IAM_LDAP_ACCESS_ATR=
+#VGW_IAM_LDAP_SECRET_ATR=
+#VGW_IAM_LDAP_ROLE_ATR=
+
 ###############
 # IAM caching #
 ###############
@@ -228,6 +256,29 @@ ROOT_SECRET_ACCESS_KEY=
 #VGW_IAM_CACHE_TTL=120
 #VGW_IAM_CACHE_PRUNE=3600

+###########
+# Metrics #
+###########
+
+# The metrics service name is a tag that is added to all metrics to help
+# identify the source of the metrics. This is especially useful when multiple
+# gateways are running. The default is the hostname of the system.
+#VGW_METRICS_SERVICE_NAME=$HOSTNAME
+
+# The metrics service will send metrics to the configured statsd servers. The
+# servers are specified as a comma separated list of host:port pairs. The
+# default is to not send metrics to any statsd servers. The gateway uses
+# InfluxDB flavor of statsd metrics tags for the StatsD metrics type.
+#VGW_METRICS_STATSD_SERVERS=
+
+# The metrics service will send metrics to the configured dogstatsd servers.
+# The servers are specified as a comma separated list of host:port pairs. The
+# default is to not send metrics to any dogstatsd servers. Generally
+# DataDog recommends installing a local agent to collect metrics and forward
+# them to the DataDog service. In this case the option value would be the
+# local agent address: 127.0.0.1:8125.
+#VGW_METRICS_DOGSTATS_SERVERS=
+
 ######################################
 # VersityGW Backend Specific Options #
 ######################################
--- a/go.mod
+++ b/go.mod
@@ -3,60 +3,71 @@ module github.com/versity/versitygw
 go 1.21.0

 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2
-	github.com/aws/aws-sdk-go-v2 v1.26.1
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
+	github.com/DataDog/datadog-go/v5 v5.5.0
+	github.com/aws/aws-sdk-go-v2 v1.27.2
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.55.1
 	github.com/aws/smithy-go v1.20.2
 	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/gofiber/fiber/v2 v2.52.4
 	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.6.0
-	github.com/nats-io/nats.go v1.34.1
+	github.com/hashicorp/vault-client-go v0.4.3
+	github.com/nats-io/nats.go v1.35.0
 	github.com/pkg/xattr v0.4.9
 	github.com/segmentio/kafka-go v0.4.47
+	github.com/smira/go-statsd v1.3.3
 	github.com/urfave/cli/v2 v2.27.2
-	github.com/valyala/fasthttp v1.52.0
+	github.com/valyala/fasthttp v1.54.0
 	github.com/versity/scoutfs-go v0.0.0-20240325223134-38eb2f5f7d44
-	golang.org/x/sys v0.19.0
+	golang.org/x/sys v0.21.0
 )

 require (
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/nats-io/nkeys v0.4.7 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/net v0.24.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
 )

 require (
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.11
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.11
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.18
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.18
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.24
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.9 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/klauspost/compress v1.17.8 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,9 +1,9 @@
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 h1:1nGuui+4POelzDwI7RG56yfQJHCnKvwfMoU7VsEp+Zg=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0/go.mod h1:99EvauvlcJ1U06amZiksfYz/3aFGyIhWGHVyiZXtBAI=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 h1:FDif4R1+UUR+00q6wquyX90K7A8dN+R5E8GEadoP7sU=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2/go.mod h1:aiYBYui4BJ/BJCAIKs92XiPyQfTaBWqvHujDwKb6CBU=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.6.0 h1:sUFnFjzDUie80h24I7mrKtwCKgLY9L8h5Tp2x9+TWqk=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.6.0/go.mod h1:52JbnQTp15qg5mRkMBHwp0j0ZFwHJ42Sx3zVV5RE9p0=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 h1:H+U3Gk9zY56G3u872L82bk4thcsy2Gghb9ExT4Zvm1o=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0/go.mod h1:mgrmMSgaLp9hmax62XQTd0N4aAqSE5E0DulSpVYK7vc=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0 h1:AifHbc4mg0x9zW52WOpKbsHaDKuRhlI7TVl47thgQ70=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0/go.mod h1:T5RfihdXtBDxt1Ch2wobif3TvzTdumDy29kahv6AV9A=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2 h1:YUUxeiOWgdAQE3pXt2H7QXzZs0q8UBjgRbl56qo8GYM=
@@ -12,46 +12,51 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
+github.com/DataDog/datadog-go/v5 v5.5.0 h1:G5KHeB8pWBNXT4Jtw0zAkhdxEAWSpWH00geHI6LDrKU=
+github.com/DataDog/datadog-go/v5 v5.5.0/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
+github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
-github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA=
-github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8=
+github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
-github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA=
-github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 h1:7Zwtt/lP3KNRkeZre7soMELMGNoBrutx8nobg1jKWmo=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15/go.mod h1:436h2adoHb57yd+8W+gYPrrA9U/R/SuAuOO42Ushzhw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc=
+github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=
+github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.24 h1:FzNwpVTZDCvm597Ty6mGYvxTolyC1oup0waaKntZI4E=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.24/go.mod h1:wM9NElT/Wn6n3CT1eyVcXtfCy8lSVjjQXfdawQbSShc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 h1:81KE7vaZzrl7yHBYHVEzYB8sypz11NMOZ40YlWvPxsU=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5/go.mod h1:LIt2rg7Mcgn09Ygbdh/RdIm0rQ+3BNkbP1gyVMFtRK0=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.9 h1:vHyZxoLVOgrI8GqX7OMHLXp4YYoxeEsrjweXKpye+ds=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.9/go.mod h1:z9VXZsWA2BvZNH1dT0ToUYwMu/CR9Skkj/TBX+mceZw=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 h1:ZMeFZ5yk+Ek+jNr1+uwCd2tG89t6oTS5yVWpa6yy2es=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7/go.mod h1:mxV05U+4JiHqIpGqqYXOHLPKUC6bDXC44bsUhNjOEwY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 h1:f9RyWNtS8oH7cZlbn+/JNPpjUk5+5fLd5lM9M0i49Ys=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5/go.mod h1:h5CoMZV2VF297/VLhRhO1WF+XYWOzXo+4HsObA4HjBQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 h1:6cnno47Me9bRykw9AEv9zkXE+5or7jz8TsskTTccbgc=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1/go.mod h1:qmdkIIAC+GCLASF7R2whgNrJADz0QZPX+Seiw/i4S3o=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.11 h1:4vt9Sspk59EZyHCAEMaktHKiq0C09noRTQorXD/qV+s=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.11/go.mod h1:5jHR79Tv+Ccq6rwYh+W7Nptmw++WiFafMfR42XhwNl8=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.9 h1:TE2i0A9ErH1YfRSvXfCr2SQwfnqsoJT9nPQ9kj0lkxM=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.9/go.mod h1:9TzXX3MehQNGPwCZ3ka4CpwQsoAMWSF48/b+De9rfVM=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.55.1 h1:UAxBuh0/8sFJk1qOkvOKewP5sWeWaTPDknbQz0ZkDm0=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.55.1/go.mod h1:hWjsYGjVuqCgfoveVcVFPXIWgz0aByzwaxKlN1StKcM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk=
 github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
 github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
@@ -59,26 +64,39 @@ github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
-github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-asn1-ber/asn1-ber v1.5.6 h1:CYsqysemXfEaQbyrLJmdsCRuufHoLa3P/gGWGl5TDrM=
-github.com/go-asn1-ber/asn1-ber v1.5.6/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
+github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
 github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
 github.com/gofiber/fiber/v2 v2.52.4 h1:P+T+4iK7VaqUsq2PALYEfBBo6bJZ4q3FP8cZ84EggTM=
 github.com/gofiber/fiber/v2 v2.52.4/go.mod h1:KEOE+cXMhXG0zHc9d8+E38hoX+ZN7bhOtgeF2oT6jrQ=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/vault-client-go v0.4.3 h1:zG7STGVgn/VK6rnZc0k8PGbfv2x/sJExRKHSUg3ljWc=
+github.com/hashicorp/vault-client-go v0.4.3/go.mod h1:4tDw7Uhq5XOxS1fO+oMtotHL7j4sB9cp0T7U6m4FzDY=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -107,8 +125,10 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/nats-io/nats.go v1.34.1 h1:syWey5xaNHZgicYBemv0nohUPPmaLteiBEUT6Q5+F/4=
-github.com/nats-io/nats.go v1.34.1/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/nats-io/nats.go v1.35.0 h1:XFNqNM7v5B+MQMKqVGAyHwYhyKb48jrenXNxIU20ULk=
+github.com/nats-io/nats.go v1.35.0/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8=
 github.com/nats-io/nkeys v0.4.7 h1:RwNJbbIdYCoClSDNY7QVKZlyb/wfT6ugvFCiKy6vDvI=
 github.com/nats-io/nkeys v0.4.7/go.mod h1:kqXRgRDPlGy7nGaEDMuYzmiJCIAAWDK0IMBtDmGD0nc=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
@@ -118,6 +138,7 @@ github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
 github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -127,11 +148,18 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
+github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/segmentio/kafka-go v0.4.47 h1:IqziR4pA3vrZq7YdRxaT3w1/5fvIH5qpCwstUanQQB0=
 github.com/segmentio/kafka-go v0.4.47/go.mod h1:HjF6XbOKh0Pjlkr5GVZxt6CsjjwnmhVOfURM5KMd8qg=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/smira/go-statsd v1.3.3 h1:WnMlmGTyMpzto+HvOJWRPoLaLlk5EGfzsnlQBcvj4yI=
+github.com/smira/go-statsd v1.3.3/go.mod h1:RjdsESPgDODtg1VpVVf9MJrEW2Hw0wtRNbmB1CAhu6A=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -142,8 +170,8 @@ github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI=
 github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.52.0 h1:wqBQpxH71XW0e2g+Og4dzQM8pk34aFYlA1Ga8db7gU0=
-github.com/valyala/fasthttp v1.52.0/go.mod h1:hf5C4QnVMkNXMspnsUlfM3WitlgYflyhHYoKol/szxQ=
+github.com/valyala/fasthttp v1.54.0 h1:cCL+ZZR3z3HPLMVfEYVUMtJqVaui0+gu7Lx63unHwS0=
+github.com/valyala/fasthttp v1.54.0/go.mod h1:6dt4/8olwq9QARP/TDuPmWyWcl4byhpvTJ4AAtcz+QM=
 github.com/valyala/tcplisten v1.0.0 h1:rBHj/Xf+E1tRGZyWIWwJDiRY0zc1Js+CV5DqwacVSA8=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 github.com/versity/scoutfs-go v0.0.0-20240325223134-38eb2f5f7d44 h1:Wx1o3pNrCzsHIIDyZ2MLRr6tF/1FhAr7HNDn80QqDWE=
@@ -156,20 +184,25 @@ github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6
 github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
 github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw=
 github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
@@ -177,13 +210,19 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -196,8 +235,8 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -212,13 +251,19 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/metrics/actions.go
+++ b/metrics/actions.go
@@ -0,0 +1,258 @@
+// Copyright 2024 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package metrics
+
+type Action struct {
+	Name    string
+	Service string
+}
+
+var (
+	ActionMap map[string]Action
+)
+
+var (
+	ActionUndetected                 = "ActionUnDetected"
+	ActionAbortMultipartUpload       = "s3_AbortMultipartUpload"
+	ActionCompleteMultipartUpload    = "s3_CompleteMultipartUpload"
+	ActionCopyObject                 = "s3_CopyObject"
+	ActionCreateBucket               = "s3_CreateBucket"
+	ActionCreateMultipartUpload      = "s3_CreateMultipartUpload"
+	ActionDeleteBucket               = "s3_DeleteBucket"
+	ActionDeleteBucketPolicy         = "s3_DeleteBucketPolicy"
+	ActionDeleteBucketTagging        = "s3_DeleteBucketTagging"
+	ActionDeleteObject               = "s3_DeleteObject"
+	ActionDeleteObjectTagging        = "s3_DeleteObjectTagging"
+	ActionDeleteObjects              = "s3_DeleteObjects"
+	ActionGetBucketAcl               = "s3_GetBucketAcl"
+	ActionGetBucketPolicy            = "s3_GetBucketPolicy"
+	ActionGetBucketTagging           = "s3_GetBucketTagging"
+	ActionGetBucketVersioning        = "s3_GetBucketVersioning"
+	ActionGetObject                  = "s3_GetObject"
+	ActionGetObjectAcl               = "s3_GetObjectAcl"
+	ActionGetObjectAttributes        = "s3_GetObjectAttributes"
+	ActionGetObjectLegalHold         = "s3_GetObjectLegalHold"
+	ActionGetObjectLockConfiguration = "s3_GetObjectLockConfiguration"
+	ActionGetObjectRetention         = "s3_GetObjectRetention"
+	ActionGetObjectTagging           = "s3_GetObjectTagging"
+	ActionHeadBucket                 = "s3_HeadBucket"
+	ActionHeadObject                 = "s3_HeadObject"
+	ActionListAllMyBuckets           = "s3_ListAllMyBuckets"
+	ActionListMultipartUploads       = "s3_ListMultipartUploads"
+	ActionListObjectVersions         = "s3_ListObjectVersions"
+	ActionListObjects                = "s3_ListObjects"
+	ActionListObjectsV2              = "s3_ListObjectsV2"
+	ActionListParts                  = "s3_ListParts"
+	ActionPutBucketAcl               = "s3_PutBucketAcl"
+	ActionPutBucketPolicy            = "s3_PutBucketPolicy"
+	ActionPutBucketTagging           = "s3_PutBucketTagging"
+	ActionPutBucketVersioning        = "s3_PutBucketVersioning"
+	ActionPutObject                  = "s3_PutObject"
+	ActionPutObjectAcl               = "s3_PutObjectAcl"
+	ActionPutObjectLegalHold         = "s3_PutObjectLegalHold"
+	ActionPutObjectLockConfiguration = "s3_PutObjectLockConfiguration"
+	ActionPutObjectRetention         = "s3_PutObjectRetention"
+	ActionPutObjectTagging           = "s3_PutObjectTagging"
+	ActionRestoreObject              = "s3_RestoreObject"
+	ActionSelectObjectContent        = "s3_SelectObjectContent"
+	ActionUploadPart                 = "s3_UploadPart"
+	ActionUploadPartCopy             = "s3_UploadPartCopy"
+)
+
+func init() {
+	ActionMap = make(map[string]Action)
+
+	ActionMap[ActionUndetected] = Action{
+		Name:    "ActionUnDetected",
+		Service: "unknown",
+	}
+
+	ActionMap[ActionAbortMultipartUpload] = Action{
+		Name:    "AbortMultipartUpload",
+		Service: "s3",
+	}
+	ActionMap[ActionCompleteMultipartUpload] = Action{
+		Name:    "CompleteMultipartUpload",
+		Service: "s3",
+	}
+	ActionMap[ActionCopyObject] = Action{
+		Name:    "CopyObject",
+		Service: "s3",
+	}
+	ActionMap[ActionCreateBucket] = Action{
+		Name:    "CreateBucket",
+		Service: "s3",
+	}
+	ActionMap[ActionCreateMultipartUpload] = Action{
+		Name:    "CreateMultipartUpload",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucket] = Action{
+		Name:    "DeleteBucket",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketPolicy] = Action{
+		Name:    "DeleteBucketPolicy",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteBucketTagging] = Action{
+		Name:    "DeleteBucketTagging",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteObject] = Action{
+		Name:    "DeleteObject",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteObjectTagging] = Action{
+		Name:    "DeleteObjectTagging",
+		Service: "s3",
+	}
+	ActionMap[ActionDeleteObjects] = Action{
+		Name:    "DeleteObjects",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketAcl] = Action{
+		Name:    "GetBucketAcl",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketPolicy] = Action{
+		Name:    "GetBucketPolicy",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketTagging] = Action{
+		Name:    "GetBucketTagging",
+		Service: "s3",
+	}
+	ActionMap[ActionGetBucketVersioning] = Action{
+		Name:    "GetBucketVersioning",
+		Service: "s3",
+	}
+	ActionMap[ActionGetObject] = Action{
+		Name:    "GetObject",
+		Service: "s3",
+	}
+	ActionMap[ActionGetObjectAcl] = Action{
+		Name:    "GetObjectAcl",
+		Service: "s3",
+	}
+	ActionMap[ActionGetObjectAttributes] = Action{
+		Name:    "GetObjectAttributes",
+		Service: "s3",
+	}
+	ActionMap[ActionGetObjectLegalHold] = Action{
+		Name:    "GetObjectLegalHold",
+		Service: "s3",
+	}
+	ActionMap[ActionGetObjectLockConfiguration] = Action{
+		Name:    "GetObjectLockConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionGetObjectRetention] = Action{
+		Name:    "GetObjectRetention",
+		Service: "s3",
+	}
+	ActionMap[ActionGetObjectTagging] = Action{
+		Name:    "GetObjectTagging",
+		Service: "s3",
+	}
+	ActionMap[ActionHeadBucket] = Action{
+		Name:    "HeadBucket",
+		Service: "s3",
+	}
+	ActionMap[ActionHeadObject] = Action{
+		Name:    "HeadObject",
+		Service: "s3",
+	}
+	ActionMap[ActionListAllMyBuckets] = Action{
+		Name:    "ListAllMyBuckets",
+		Service: "s3",
+	}
+	ActionMap[ActionListMultipartUploads] = Action{
+		Name:    "ListMultipartUploads",
+		Service: "s3",
+	}
+	ActionMap[ActionListObjectVersions] = Action{
+		Name:    "ListObjectVersions",
+		Service: "s3",
+	}
+	ActionMap[ActionListObjects] = Action{
+		Name:    "ListObjects",
+		Service: "s3",
+	}
+	ActionMap[ActionListObjectsV2] = Action{
+		Name:    "ListObjectsV2",
+		Service: "s3",
+	}
+	ActionMap[ActionListParts] = Action{
+		Name:    "ListParts",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketAcl] = Action{
+		Name:    "PutBucketAcl",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketPolicy] = Action{
+		Name:    "PutBucketPolicy",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketTagging] = Action{
+		Name:    "PutBucketTagging",
+		Service: "s3",
+	}
+	ActionMap[ActionPutBucketVersioning] = Action{
+		Name:    "PutBucketVersioning",
+		Service: "s3",
+	}
+	ActionMap[ActionPutObject] = Action{
+		Name:    "PutObject",
+		Service: "s3",
+	}
+	ActionMap[ActionPutObjectAcl] = Action{
+		Name:    "PutObjectAcl",
+		Service: "s3",
+	}
+	ActionMap[ActionPutObjectLegalHold] = Action{
+		Name:    "PutObjectLegalHold",
+		Service: "s3",
+	}
+	ActionMap[ActionPutObjectLockConfiguration] = Action{
+		Name:    "PutObjectLockConfiguration",
+		Service: "s3",
+	}
+	ActionMap[ActionPutObjectRetention] = Action{
+		Name:    "PutObjectRetention",
+		Service: "s3",
+	}
+	ActionMap[ActionPutObjectTagging] = Action{
+		Name:    "PutObjectTagging",
+		Service: "s3",
+	}
+	ActionMap[ActionRestoreObject] = Action{
+		Name:    "RestoreObject",
+		Service: "s3",
+	}
+	ActionMap[ActionSelectObjectContent] = Action{
+		Name:    "SelectObjectContent",
+		Service: "s3",
+	}
+	ActionMap[ActionUploadPart] = Action{
+		Name:    "UploadPart",
+		Service: "s3",
+	}
+	ActionMap[ActionUploadPartCopy] = Action{
+		Name:    "UploadPartCopy",
+		Service: "s3",
+	}
+}
--- a/metrics/dogstats.go
+++ b/metrics/dogstats.go
@@ -0,0 +1,65 @@
+// Copyright 2024 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package metrics
+
+import (
+	"fmt"
+
+	dogstats "github.com/DataDog/datadog-go/v5/statsd"
+)
+
+// vgwDogStatsd metrics type
+type vgwDogStatsd struct {
+	c *dogstats.Client
+}
+
+var (
+	rateSampleAlways = 1.0
+)
+
+// newDogStatsd takes a server address and returns a statsd merics
+func newDogStatsd(server string, service string) (*vgwDogStatsd, error) {
+	c, err := dogstats.New(server,
+		dogstats.WithMaxMessagesPerPayload(1000),
+		dogstats.WithNamespace("versitygw"),
+		dogstats.WithTags([]string{
+			"service:" + service,
+		}))
+	if err != nil {
+		return nil, err
+	}
+	return &vgwDogStatsd{c: c}, nil
+}
+
+// Close closes statsd connections
+func (s *vgwDogStatsd) Close() {
+	s.c.Close()
+}
+
+func (t Tag) ddString() string {
+	if t.Value == "" {
+		return t.Key
+	}
+	return fmt.Sprintf("%v:%v", t.Key, t.Value)
+}
+
+// Add adds value to key
+func (s *vgwDogStatsd) Add(key string, value int64, tags ...Tag) {
+	stags := make([]string, len(tags))
+	for i, t := range tags {
+		stags[i] = t.ddString()
+	}
+	s.c.Count(key, value, stags, rateSampleAlways)
+}
--- a/metrics/metrics.go
+++ b/metrics/metrics.go
@@ -0,0 +1,225 @@
+// Copyright 2024 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package metrics
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/s3err"
+)
+
+var (
+	// max size of data items to buffer before dropping
+	// new incoming data items
+	dataItemCount = 100000
+)
+
+// Tag is added metadata for metrics
+type Tag struct {
+	// Key is tag name
+	Key string
+	// Value is tag data
+	Value string
+}
+
+// Manager is a manager of metrics plugins
+type Manager struct {
+	wg  sync.WaitGroup
+	ctx context.Context
+
+	config Config
+
+	publishers  []publisher
+	addDataChan chan datapoint
+}
+
+type Config struct {
+	ServiceName      string
+	StatsdServers    string
+	DogStatsdServers string
+}
+
+// NewManager initializes metrics plugins and returns a new metrics manager
+func NewManager(ctx context.Context, conf Config) (*Manager, error) {
+	if len(conf.StatsdServers) == 0 && len(conf.DogStatsdServers) == 0 {
+		return nil, nil
+	}
+
+	if conf.ServiceName == "" {
+		hostname, err := os.Hostname()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get hostname: %w", err)
+		}
+		conf.ServiceName = hostname
+	}
+
+	addDataChan := make(chan datapoint, dataItemCount)
+
+	mgr := &Manager{
+		addDataChan: addDataChan,
+		ctx:         ctx,
+		config:      conf,
+	}
+
+	// setup statsd endpoints
+	if len(conf.StatsdServers) > 0 {
+		statsdServers := strings.Split(conf.StatsdServers, ",")
+
+		for _, server := range statsdServers {
+			statsd, err := newStatsd(server, conf.ServiceName)
+			if err != nil {
+				return nil, err
+			}
+			mgr.publishers = append(mgr.publishers, statsd)
+		}
+	}
+
+	// setup dogstatsd endpoints
+	if len(conf.DogStatsdServers) > 0 {
+		dogStatsdServers := strings.Split(conf.DogStatsdServers, ",")
+
+		for _, server := range dogStatsdServers {
+			dogStatsd, err := newDogStatsd(server, conf.ServiceName)
+			if err != nil {
+				return nil, err
+			}
+			mgr.publishers = append(mgr.publishers, dogStatsd)
+		}
+	}
+
+	mgr.wg.Add(1)
+	go mgr.addForwarder(addDataChan)
+
+	return mgr, nil
+}
+
+func (m *Manager) Send(ctx *fiber.Ctx, err error, action string, count int64, status int) {
+	// In case of Authentication failures, url parsing ...
+	if action == "" {
+		action = ActionUndetected
+	}
+
+	a := ActionMap[action]
+	reqTags := []Tag{
+		{Key: "method", Value: ctx.Method()},
+		{Key: "api", Value: a.Service},
+		{Key: "action", Value: a.Name},
+	}
+
+	reqStatus := status
+
+	if err != nil {
+		var apierr s3err.APIError
+		if errors.As(err, &apierr) {
+			reqStatus = apierr.HTTPStatusCode
+		} else {
+			reqStatus = http.StatusInternalServerError
+		}
+	}
+	if reqStatus == 0 {
+		reqStatus = http.StatusOK
+	}
+
+	reqTags = append(reqTags, Tag{
+		Key:   "status",
+		Value: fmt.Sprintf("%v", reqStatus),
+	})
+
+	if err != nil {
+		m.increment("failed_count", reqTags...)
+	} else {
+		m.increment("success_count", reqTags...)
+	}
+
+	switch action {
+	case ActionPutObject:
+		m.add("bytes_written", count, reqTags...)
+		m.increment("object_created_count", reqTags...)
+	case ActionCompleteMultipartUpload:
+		m.increment("object_created_count", reqTags...)
+	case ActionUploadPart:
+		m.add("bytes_written", count, reqTags...)
+	case ActionGetObject:
+		m.add("bytes_read", count, reqTags...)
+	case ActionDeleteObject:
+		m.increment("object_removed_count", reqTags...)
+	case ActionDeleteObjects:
+		m.add("object_removed_count", count, reqTags...)
+	}
+}
+
+// increment increments the key by one
+func (m *Manager) increment(key string, tags ...Tag) {
+	m.add(key, 1, tags...)
+}
+
+// add adds value to key
+func (m *Manager) add(key string, value int64, tags ...Tag) {
+	if m.ctx.Err() != nil {
+		return
+	}
+
+	d := datapoint{
+		key:   key,
+		value: value,
+		tags:  tags,
+	}
+
+	select {
+	case m.addDataChan <- d:
+	default:
+		// channel full, drop the updates
+	}
+}
+
+// Close closes metrics channels, waits for data to complete, closes all plugins
+func (m *Manager) Close() {
+	// drain the datapoint channels
+	close(m.addDataChan)
+	m.wg.Wait()
+
+	// close all publishers
+	for _, p := range m.publishers {
+		p.Close()
+	}
+}
+
+// publisher is the interface for interacting with the metrics plugins
+type publisher interface {
+	Add(key string, value int64, tags ...Tag)
+	Close()
+}
+
+func (m *Manager) addForwarder(addChan <-chan datapoint) {
+	for data := range addChan {
+		for _, s := range m.publishers {
+			s.Add(data.key, data.value, data.tags...)
+		}
+	}
+	m.wg.Done()
+}
+
+type datapoint struct {
+	key   string
+	value int64
+	tags  []Tag
+}
--- a/metrics/statsd.go
+++ b/metrics/statsd.go
@@ -0,0 +1,51 @@
+// Copyright 2024 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package metrics
+
+import (
+	"github.com/smira/go-statsd"
+)
+
+// vgwStatsd metrics type
+type vgwStatsd struct {
+	c *statsd.Client
+}
+
+// newStatsd takes a server address and returns a statsd merics
+// Supply service name to be used as a tag to identify the spcific
+// gateway instance, this may typically be the gateway hostname
+func newStatsd(server string, service string) (*vgwStatsd, error) {
+	c := statsd.NewClient(
+		server,
+		statsd.MetricPrefix("versitygw."),
+		statsd.TagStyle(statsd.TagFormatInfluxDB),
+		statsd.DefaultTags(statsd.StringTag("service", service)),
+	)
+	return &vgwStatsd{c: c}, nil
+}
+
+// Close closes statsd connections
+func (s *vgwStatsd) Close() {
+	s.c.Close()
+}
+
+// Add adds value to key
+func (s *vgwStatsd) Add(key string, value int64, tags ...Tag) {
+	stags := make([]statsd.Tag, len(tags))
+	for i, t := range tags {
+		stags[i] = statsd.StringTag(t.Key, t.Value)
+	}
+	s.c.Incr(key, value, stags...)
+}
--- a/s3api/admin-server.go
+++ b/s3api/admin-server.go
@@ -46,12 +46,11 @@ func NewAdminServer(app *fiber.App, be backend.Backend, root middlewares.RootUse

 	// Logging middlewares
 	app.Use(logger.New())
-	app.Use(middlewares.DecodeURL(nil))
+	app.Use(middlewares.DecodeURL(nil, nil))

 	// Authentication middlewares
-	app.Use(middlewares.VerifyV4Signature(root, iam, nil, region, false))
+	app.Use(middlewares.VerifyV4Signature(root, iam, nil, nil, region, false))
 	app.Use(middlewares.VerifyMD5Body(nil))
-	app.Use(middlewares.AclParser(be, nil))

 	server.router.Init(app, be, iam)

--- a/s3api/controllers/backend_moq_test.go
+++ b/s3api/controllers/backend_moq_test.go
@@ -143,7 +143,7 @@ var _ backend.Backend = &BackendMock{}
 //			PutObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string, config []byte) error {
 //				panic("mock out the PutObjectLockConfiguration method")
 //			},
-//			PutObjectRetentionFunc: func(contextMoqParam context.Context, bucket string, object string, versionId string, retention []byte) error {
+//			PutObjectRetentionFunc: func(contextMoqParam context.Context, bucket string, object string, versionId string, bypass bool, retention []byte) error {
 //				panic("mock out the PutObjectRetention method")
 //			},
 //			PutObjectTaggingFunc: func(contextMoqParam context.Context, bucket string, object string, tags map[string]string) error {
@@ -295,7 +295,7 @@ type BackendMock struct {
 	PutObjectLockConfigurationFunc func(contextMoqParam context.Context, bucket string, config []byte) error

 	// PutObjectRetentionFunc mocks the PutObjectRetention method.
-	PutObjectRetentionFunc func(contextMoqParam context.Context, bucket string, object string, versionId string, retention []byte) error
+	PutObjectRetentionFunc func(contextMoqParam context.Context, bucket string, object string, versionId string, bypass bool, retention []byte) error

 	// PutObjectTaggingFunc mocks the PutObjectTagging method.
 	PutObjectTaggingFunc func(contextMoqParam context.Context, bucket string, object string, tags map[string]string) error
@@ -642,6 +642,8 @@ type BackendMock struct {
 			Object string
 			// VersionId is the versionId argument value.
 			VersionId string
+			// Bypass is the bypass argument value.
+			Bypass bool
 			// Retention is the retention argument value.
 			Retention []byte
 		}
@@ -2246,7 +2248,7 @@ func (mock *BackendMock) PutObjectLockConfigurationCalls() []struct {
 }

 // PutObjectRetention calls PutObjectRetentionFunc.
-func (mock *BackendMock) PutObjectRetention(contextMoqParam context.Context, bucket string, object string, versionId string, retention []byte) error {
+func (mock *BackendMock) PutObjectRetention(contextMoqParam context.Context, bucket string, object string, versionId string, bypass bool, retention []byte) error {
 	if mock.PutObjectRetentionFunc == nil {
 		panic("BackendMock.PutObjectRetentionFunc: method is nil but Backend.PutObjectRetention was just called")
 	}
@@ -2255,18 +2257,20 @@ func (mock *BackendMock) PutObjectRetention(contextMoqParam context.Context, buc
 		Bucket          string
 		Object          string
 		VersionId       string
+		Bypass          bool
 		Retention       []byte
 	}{
 		ContextMoqParam: contextMoqParam,
 		Bucket:          bucket,
 		Object:          object,
 		VersionId:       versionId,
+		Bypass:          bypass,
 		Retention:       retention,
 	}
 	mock.lockPutObjectRetention.Lock()
 	mock.calls.PutObjectRetention = append(mock.calls.PutObjectRetention, callInfo)
 	mock.lockPutObjectRetention.Unlock()
-	return mock.PutObjectRetentionFunc(contextMoqParam, bucket, object, versionId, retention)
+	return mock.PutObjectRetentionFunc(contextMoqParam, bucket, object, versionId, bypass, retention)
 }

 // PutObjectRetentionCalls gets all the calls that were made to PutObjectRetention.
@@ -2278,6 +2282,7 @@ func (mock *BackendMock) PutObjectRetentionCalls() []struct {
 	Bucket          string
 	Object          string
 	VersionId       string
+	Bypass          bool
 	Retention       []byte
 } {
 	var calls []struct {
@@ -2285,6 +2290,7 @@ func (mock *BackendMock) PutObjectRetentionCalls() []struct {
 		Bucket          string
 		Object          string
 		VersionId       string
+		Bypass          bool
 		Retention       []byte
 	}
 	mock.lockPutObjectRetention.RLock()
--- a/s3api/controllers/base.go
+++ b/s3api/controllers/base.go
--- a/s3api/controllers/base_test.go
+++ b/s3api/controllers/base_test.go
@@ -77,7 +77,7 @@ func TestNew(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := New(tt.args.be, tt.args.iam, nil, nil, false)
+			got := New(tt.args.be, tt.args.iam, nil, nil, nil, false, false)
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("New() = %v, want %v", got, tt.want)
 			}
@@ -593,14 +593,6 @@ func TestS3ApiController_PutBucketActions(t *testing.T) {
 	</AccessControlPolicy>
 	`

-	succBody := `
-	<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
-		<Owner>
-			<ID>valid access</ID>
-		</Owner>
-	</AccessControlPolicy>
-	`
-
 	tagBody := `
 	<Tagging xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
 		<TagSet>
@@ -690,10 +682,9 @@ func TestS3ApiController_PutBucketActions(t *testing.T) {

 	// PutBucketAcl incorrect bucket owner case
 	incorrectBucketOwner := httptest.NewRequest(http.MethodPut, "/my-bucket?acl", strings.NewReader(invOwnerBody))
-	incorrectBucketOwner.Header.Set("X-Amz-Acl", "private")

 	// PutBucketAcl acl success
-	aclSuccReq := httptest.NewRequest(http.MethodPut, "/my-bucket?acl", strings.NewReader(succBody))
+	aclSuccReq := httptest.NewRequest(http.MethodPut, "/my-bucket?acl", nil)
 	aclSuccReq.Header.Set("X-Amz-Acl", "private")

 	// Invalid acl body case
@@ -896,7 +887,7 @@ func TestS3ApiController_PutActions(t *testing.T) {

 	legalHoldBody := `
 	<LegalHold xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
-		<Status>string</Status>
+		<Status>ON</Status>
 	</LegalHold>
 	`

@@ -929,7 +920,7 @@ func TestS3ApiController_PutActions(t *testing.T) {
 			PutObjectLegalHoldFunc: func(contextMoqParam context.Context, bucket, object, versionId string, status bool) error {
 				return nil
 			},
-			PutObjectRetentionFunc: func(contextMoqParam context.Context, bucket, object, versionId string, retention []byte) error {
+			PutObjectRetentionFunc: func(contextMoqParam context.Context, bucket, object, versionId string, bypass bool, retention []byte) error {
 				return nil
 			},
 			GetObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
--- a/s3api/middlewares/acl-parser.go
+++ b/s3api/middlewares/acl-parser.go
@@ -24,6 +24,7 @@ import (
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
 	"github.com/versity/versitygw/s3api/controllers"
+	"github.com/versity/versitygw/s3err"
 	"github.com/versity/versitygw/s3log"
 )

@@ -31,7 +32,7 @@ var (
 	singlePath = regexp.MustCompile(`^/[^/]+/?$`)
 )

-func AclParser(be backend.Backend, logger s3log.AuditLogger) fiber.Handler {
+func AclParser(be backend.Backend, logger s3log.AuditLogger, readonly bool) fiber.Handler {
 	return func(ctx *fiber.Ctx) error {
 		isRoot, acct := ctx.Locals("isRoot").(bool), ctx.Locals("account").(auth.Account)
 		path := ctx.Path()
@@ -53,6 +54,13 @@ func AclParser(be backend.Backend, logger s3log.AuditLogger) fiber.Handler {
 			if err := auth.MayCreateBucket(acct, isRoot); err != nil {
 				return controllers.SendXMLResponse(ctx, nil, err, &controllers.MetaOpts{Logger: logger, Action: "CreateBucket"})
 			}
+			if readonly {
+				return controllers.SendXMLResponse(ctx, nil, s3err.GetAPIError(s3err.ErrAccessDenied),
+					&controllers.MetaOpts{
+						Logger: logger,
+						Action: "CreateBucket",
+					})
+			}
 			return ctx.Next()
 		}
 		data, err := be.GetBucketAcl(ctx.Context(), &s3.GetBucketAclInput{Bucket: &bucket})
--- a/s3api/middlewares/authentication.go
+++ b/s3api/middlewares/authentication.go
@@ -25,6 +25,7 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/controllers"
 	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
@@ -40,7 +41,7 @@ type RootUserConfig struct {
 	Secret string
 }

-func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, region string, debug bool) fiber.Handler {
+func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, mm *metrics.Manager, region string, debug bool) fiber.Handler {
 	acct := accounts{root: root, iam: iam}

 	return func(ctx *fiber.Ctx) error {
@@ -54,16 +55,16 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au
 		ctx.Locals("startTime", time.Now())
 		authorization := ctx.Get("Authorization")
 		if authorization == "" {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrAuthHeaderEmpty), logger)
+			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrAuthHeaderEmpty), logger, mm)
 		}

 		authData, err := utils.ParseAuthorization(authorization)
 		if err != nil {
-			return sendResponse(ctx, err, logger)
+			return sendResponse(ctx, err, logger, mm)
 		}

 		if authData.Algorithm != "AWS4-HMAC-SHA256" {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureVersionNotSupported), logger)
+			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureVersionNotSupported), logger, mm)
 		}

 		if authData.Region != region {
@@ -71,40 +72,40 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au
 				Code:           "SignatureDoesNotMatch",
 				Description:    fmt.Sprintf("Credential should be scoped to a valid Region, not %v", authData.Region),
 				HTTPStatusCode: http.StatusForbidden,
-			}, logger)
+			}, logger, mm)
 		}

 		ctx.Locals("isRoot", authData.Access == root.Access)

 		account, err := acct.getAccount(authData.Access)
 		if err == auth.ErrNoSuchUser {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger)
+			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger, mm)
 		}
 		if err != nil {
-			return sendResponse(ctx, err, logger)
+			return sendResponse(ctx, err, logger, mm)
 		}
 		ctx.Locals("account", account)

 		// Check X-Amz-Date header
 		date := ctx.Get("X-Amz-Date")
 		if date == "" {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingDateHeader), logger)
+			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingDateHeader), logger, mm)
 		}

 		// Parse the date and check the date validity
 		tdate, err := time.Parse(iso8601Format, date)
 		if err != nil {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedDate), logger)
+			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedDate), logger, mm)
 		}

 		if date[:8] != authData.Date {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureDateDoesNotMatch), logger)
+			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureDateDoesNotMatch), logger, mm)
 		}

 		// Validate the dates difference
 		err = utils.ValidateDate(tdate)
 		if err != nil {
-			return sendResponse(ctx, err, logger)
+			return sendResponse(ctx, err, logger, mm)
 		}

 		if utils.IsBigDataAction(ctx) {
@@ -125,7 +126,7 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au

 			// Compare the calculated hash with the hash provided
 			if hashPayload != hexPayload {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrContentSHA256Mismatch), logger)
+				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrContentSHA256Mismatch), logger, mm)
 			}
 		}

@@ -134,13 +135,13 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.Au
 		if contentLengthStr != "" {
 			contentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)
 			if err != nil {
-				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), logger)
+				return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), logger, mm)
 			}
 		}

 		err = utils.CheckValidSignature(ctx, authData, account.Secret, hashPayload, tdate, contentLength, debug)
 		if err != nil {
-			return sendResponse(ctx, err, logger)
+			return sendResponse(ctx, err, logger, mm)
 		}

 		return ctx.Next()
@@ -164,6 +165,6 @@ func (a accounts) getAccount(access string) (auth.Account, error) {
 	return a.iam.GetUserAccount(access)
 }

-func sendResponse(ctx *fiber.Ctx, err error, logger s3log.AuditLogger) error {
-	return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger})
+func sendResponse(ctx *fiber.Ctx, err error, logger s3log.AuditLogger, mm *metrics.Manager) error {
+	return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger, MetricsMng: mm})
 }
--- a/s3api/middlewares/chunk.go
+++ b/s3api/middlewares/chunk.go
@@ -20,13 +20,14 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3log"
 )

 // ProcessChunkedBody initializes the chunked upload stream if the
 // request appears to be a chunked upload
-func ProcessChunkedBody(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, region string) fiber.Handler {
+func ProcessChunkedBody(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, mm *metrics.Manager, region string) fiber.Handler {
 	return func(ctx *fiber.Ctx) error {
 		decodedLength := ctx.Get("X-Amz-Decoded-Content-Length")
 		if decodedLength == "" {
@@ -36,7 +37,7 @@ func ProcessChunkedBody(root RootUserConfig, iam auth.IAMService, logger s3log.A

 		authData, err := utils.ParseAuthorization(ctx.Get("Authorization"))
 		if err != nil {
-			return sendResponse(ctx, err, logger)
+			return sendResponse(ctx, err, logger, mm)
 		}

 		acct := ctx.Locals("account").(auth.Account)
@@ -51,7 +52,7 @@ func ProcessChunkedBody(root RootUserConfig, iam auth.IAMService, logger s3log.A
 				return cr
 			})
 			if err != nil {
-				return sendResponse(ctx, err, logger)
+				return sendResponse(ctx, err, logger, mm)
 			}
 			return ctx.Next()
 		}
--- a/s3api/middlewares/presign-auth.go
+++ b/s3api/middlewares/presign-auth.go
@@ -20,12 +20,13 @@ import (

 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/utils"
 	"github.com/versity/versitygw/s3err"
 	"github.com/versity/versitygw/s3log"
 )

-func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, region string, debug bool) fiber.Handler {
+func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, mm *metrics.Manager, region string, debug bool) fiber.Handler {
 	acct := accounts{root: root, iam: iam}

 	return func(ctx *fiber.Ctx) error {
@@ -38,16 +39,16 @@ func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, logger

 		authData, err := utils.ParsePresignedURIParts(ctx)
 		if err != nil {
-			return sendResponse(ctx, err, logger)
+			return sendResponse(ctx, err, logger, mm)
 		}

 		ctx.Locals("isRoot", authData.Access == root.Access)
 		account, err := acct.getAccount(authData.Access)
 		if err == auth.ErrNoSuchUser {
-			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger)
+			return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger, mm)
 		}
 		if err != nil {
-			return sendResponse(ctx, err, logger)
+			return sendResponse(ctx, err, logger, mm)
 		}
 		ctx.Locals("account", account)

@@ -61,7 +62,7 @@ func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, logger

 		err = utils.CheckPresignedSignature(ctx, authData, account.Secret, debug)
 		if err != nil {
-			return sendResponse(ctx, err, logger)
+			return sendResponse(ctx, err, logger, mm)
 		}

 		return ctx.Next()
--- a/s3api/middlewares/url-decoder.go
+++ b/s3api/middlewares/url-decoder.go
@@ -18,17 +18,18 @@ import (
 	"net/url"

 	"github.com/gofiber/fiber/v2"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/controllers"
 	"github.com/versity/versitygw/s3err"
 	"github.com/versity/versitygw/s3log"
 )

-func DecodeURL(logger s3log.AuditLogger) fiber.Handler {
+func DecodeURL(logger s3log.AuditLogger, mm *metrics.Manager) fiber.Handler {
 	return func(ctx *fiber.Ctx) error {
 		reqURL := ctx.Request().URI().String()
 		decoded, err := url.Parse(reqURL)
 		if err != nil {
-			return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidURI), &controllers.MetaOpts{Logger: logger})
+			return controllers.SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidURI), &controllers.MetaOpts{Logger: logger, MetricsMng: mm})
 		}
 		ctx.Path(decoded.Path)
 		return ctx.Next()
--- a/s3api/router.go
+++ b/s3api/router.go
@@ -18,6 +18,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/controllers"
 	"github.com/versity/versitygw/s3event"
 	"github.com/versity/versitygw/s3log"
@@ -27,8 +28,8 @@ type S3ApiRouter struct {
 	WithAdmSrv bool
 }

-func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMService, logger s3log.AuditLogger, evs s3event.S3EventSender, debug bool) {
-	s3ApiController := controllers.New(be, iam, logger, evs, debug)
+func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMService, logger s3log.AuditLogger, evs s3event.S3EventSender, mm *metrics.Manager, debug bool, readonly bool) {
+	s3ApiController := controllers.New(be, iam, logger, evs, mm, debug, readonly)

 	if sa.WithAdmSrv {
 		adminController := controllers.NewAdminController(iam, be)
--- a/s3api/router_test.go
+++ b/s3api/router_test.go
@@ -45,7 +45,7 @@ func TestS3ApiRouter_Init(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tt.sa.Init(tt.args.app, tt.args.be, tt.args.iam, nil, nil, false)
+			tt.sa.Init(tt.args.app, tt.args.be, tt.args.iam, nil, nil, nil, false, false)
 		})
 	}
 }
--- a/s3api/server.go
+++ b/s3api/server.go
@@ -22,23 +22,35 @@ import (
 	"github.com/gofiber/fiber/v2/middleware/logger"
 	"github.com/versity/versitygw/auth"
 	"github.com/versity/versitygw/backend"
+	"github.com/versity/versitygw/metrics"
 	"github.com/versity/versitygw/s3api/middlewares"
 	"github.com/versity/versitygw/s3event"
 	"github.com/versity/versitygw/s3log"
 )

 type S3ApiServer struct {
-	app     *fiber.App
-	backend backend.Backend
-	router  *S3ApiRouter
-	port    string
-	cert    *tls.Certificate
-	quiet   bool
-	debug   bool
-	health  string
+	app      *fiber.App
+	backend  backend.Backend
+	router   *S3ApiRouter
+	port     string
+	cert     *tls.Certificate
+	quiet    bool
+	debug    bool
+	readonly bool
+	health   string
 }

-func New(app *fiber.App, be backend.Backend, root middlewares.RootUserConfig, port, region string, iam auth.IAMService, l s3log.AuditLogger, evs s3event.S3EventSender, opts ...Option) (*S3ApiServer, error) {
+func New(
+	app *fiber.App,
+	be backend.Backend,
+	root middlewares.RootUserConfig,
+	port, region string,
+	iam auth.IAMService,
+	l s3log.AuditLogger,
+	evs s3event.S3EventSender,
+	mm *metrics.Manager,
+	opts ...Option,
+) (*S3ApiServer, error) {
 	server := &S3ApiServer{
 		app:     app,
 		backend: be,
@@ -60,17 +72,17 @@ func New(app *fiber.App, be backend.Backend, root middlewares.RootUserConfig, po
 			return ctx.SendStatus(http.StatusOK)
 		})
 	}
-	app.Use(middlewares.DecodeURL(l))
+	app.Use(middlewares.DecodeURL(l, mm))
 	app.Use(middlewares.RequestLogger(server.debug))

 	// Authentication middlewares
-	app.Use(middlewares.VerifyPresignedV4Signature(root, iam, l, region, server.debug))
-	app.Use(middlewares.VerifyV4Signature(root, iam, l, region, server.debug))
-	app.Use(middlewares.ProcessChunkedBody(root, iam, l, region))
+	app.Use(middlewares.VerifyPresignedV4Signature(root, iam, l, mm, region, server.debug))
+	app.Use(middlewares.VerifyV4Signature(root, iam, l, mm, region, server.debug))
+	app.Use(middlewares.ProcessChunkedBody(root, iam, l, mm, region))
 	app.Use(middlewares.VerifyMD5Body(l))
-	app.Use(middlewares.AclParser(be, l))
+	app.Use(middlewares.AclParser(be, l, server.readonly))

-	server.router.Init(app, be, iam, l, evs, server.debug)
+	server.router.Init(app, be, iam, l, evs, mm, server.debug, server.readonly)

 	return server, nil
 }
@@ -103,6 +115,10 @@ func WithHealth(health string) Option {
 	return func(s *S3ApiServer) { s.health = health }
 }

+func WithReadOnly() Option {
+	return func(s *S3ApiServer) { s.readonly = true }
+}
+
 func (sa *S3ApiServer) Serve() (err error) {
 	if sa.cert != nil {
 		return sa.app.ListenTLSWithCertificate(sa.port, *sa.cert)
--- a/s3api/server_test.go
+++ b/s3api/server_test.go
@@ -64,7 +64,7 @@ func TestNew(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			gotS3ApiServer, err := New(tt.args.app, tt.args.be, tt.args.root,
-				tt.args.port, "us-east-1", &auth.IAMServiceInternal{}, nil, nil)
+				tt.args.port, "us-east-1", &auth.IAMServiceInternal{}, nil, nil, nil)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr)
 				return
--- a/s3api/utils/auth_test.go
+++ b/s3api/utils/auth_test.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package utils

 import (
--- a/s3api/utils/utils.go
+++ b/s3api/utils/utils.go
@@ -278,3 +278,51 @@ func ParseObjectAttributes(ctx *fiber.Ctx) map[types.ObjectAttributes]struct{} {

 	return attrs
 }
+
+type objLockCfg struct {
+	RetainUntilDate time.Time
+	ObjectLockMode  types.ObjectLockMode
+	LegalHoldStatus types.ObjectLockLegalHoldStatus
+}
+
+func ParsObjectLockHdrs(ctx *fiber.Ctx) (*objLockCfg, error) {
+	legalHoldHdr := ctx.Get("X-Amz-Object-Lock-Legal-Hold")
+	objLockModeHdr := ctx.Get("X-Amz-Object-Lock-Mode")
+	objLockDate := ctx.Get("X-Amz-Object-Lock-Retain-Until-Date")
+
+	if (objLockDate != "" && objLockModeHdr == "") || (objLockDate == "" && objLockModeHdr != "") {
+		return nil, s3err.GetAPIError(s3err.ErrObjectLockInvalidHeaders)
+	}
+
+	var retainUntilDate time.Time
+	if objLockDate != "" {
+		rDate, err := time.Parse(time.RFC3339, objLockDate)
+		if err != nil {
+			return nil, s3err.GetAPIError(s3err.ErrInvalidRequest)
+		}
+		if rDate.Before(time.Now()) {
+			return nil, s3err.GetAPIError(s3err.ErrPastObjectLockRetainDate)
+		}
+		retainUntilDate = rDate
+	}
+
+	objLockMode := types.ObjectLockMode(objLockModeHdr)
+
+	if objLockMode != "" &&
+		objLockMode != types.ObjectLockModeCompliance &&
+		objLockMode != types.ObjectLockModeGovernance {
+		return nil, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	legalHold := types.ObjectLockLegalHoldStatus(legalHoldHdr)
+
+	if legalHold != "" && legalHold != types.ObjectLockLegalHoldStatusOff && legalHold != types.ObjectLockLegalHoldStatusOn {
+		return nil, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
+	return &objLockCfg{
+		RetainUntilDate: retainUntilDate,
+		ObjectLockMode:  objLockMode,
+		LegalHoldStatus: legalHold,
+	}, nil
+}
--- a/s3api/utils/utils_test.go
+++ b/s3api/utils/utils_test.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package utils

 import (
--- a/s3err/s3err.go
+++ b/s3err/s3err.go
@@ -69,6 +69,7 @@ const (
 	ErrInvalidMaxParts
 	ErrInvalidPartNumberMarker
 	ErrInvalidPart
+	ErrInvalidPartNumber
 	ErrInternalError
 	ErrInvalidCopyDest
 	ErrInvalidCopySource
@@ -114,8 +115,10 @@ const (
 	ErrObjectLockConfigurationNotFound
 	ErrNoSuchObjectLockConfiguration
 	ErrInvalidBucketObjectLockConfiguration
+	ErrObjectLockConfigurationNotAllowed
 	ErrObjectLocked
 	ErrPastObjectLockRetainDate
+	ErrObjectLockInvalidRetentionPeriod
 	ErrNoSuchBucketPolicy
 	ErrBucketTaggingNotFound
 	ErrObjectLockInvalidHeaders
@@ -209,6 +212,11 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "One or more of the specified parts could not be found.  The part may not have been uploaded, or the specified entity tag may not match the part's entity tag.",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrInvalidPartNumber: {
+		Code:           "InvalidArgument",
+		Description:    "Part number must be an integer between 1 and 10000, inclusive",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrInvalidCopyDest: {
 		Code:           "InvalidRequest",
 		Description:    "This copy request is illegal because it is trying to copy an object to itself without changing the object's metadata, storage class, website redirect location or encryption attributes.",
@@ -424,6 +432,11 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "Bucket is missing ObjectLockConfiguration",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrObjectLockConfigurationNotAllowed: {
+		Code:           "InvalidBucketState",
+		Description:    "Object Lock configuration cannot be enabled on existing buckets",
+		HTTPStatusCode: http.StatusConflict,
+	},
 	ErrObjectLocked: {
 		Code:           "InvalidRequest",
 		Description:    "Object is WORM protected and cannot be overwritten",
@@ -434,6 +447,11 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "the retain until date must be in the future",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrObjectLockInvalidRetentionPeriod: {
+		Code:           "InvalidRetentionPeriod",
+		Description:    "the retention days/years must be positive integer",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrNoSuchBucketPolicy: {
 		Code:           "NoSuchBucketPolicy",
 		Description:    "The bucket policy does not exist",
--- a/s3event/event.go
+++ b/s3event/event.go
@@ -117,7 +117,7 @@ type EventConfig struct {
 }

 func InitEventSender(cfg *EventConfig) (S3EventSender, error) {
-	filter, err := parseEventFilters(cfg.FilterConfigFilePath)
+	filter, err := parseEventFiltersFile(cfg.FilterConfigFilePath)
 	if err != nil {
 		return nil, fmt.Errorf("parse event filter config file %w", err)
 	}
--- a/s3event/filter.go
+++ b/s3event/filter.go
@@ -17,6 +17,7 @@ package s3event
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -69,7 +70,7 @@ var supportedEventFilters = map[EventType]struct{}{

 type EventFilter map[EventType]bool

-func parseEventFilters(path string) (EventFilter, error) {
+func parseEventFiltersFile(path string) (EventFilter, error) {
 	// if no filter config file path is specified return nil map
 	if path == "" {
 		return nil, nil
@@ -87,8 +88,12 @@ func parseEventFilters(path string) (EventFilter, error) {
 	}
 	defer file.Close()

+	return parseEventFilters(file)
+}
+
+func parseEventFilters(r io.Reader) (EventFilter, error) {
 	var filter EventFilter
-	if err := json.NewDecoder(file).Decode(&filter); err != nil {
+	if err := json.NewDecoder(r).Decode(&filter); err != nil {
 		return nil, err
 	}

@@ -116,7 +121,7 @@ func (ef EventFilter) Filter(event EventType) bool {
 	}

 	// check wildcard match
-	wildCardEv := EventType(string(event[strings.LastIndex(string(event), ":")+1]) + "*")
+	wildCardEv := EventType(string(event[:strings.LastIndex(string(event), ":")+1]) + "*")
 	wildcard, found := ef[wildCardEv]
 	if found {
 		return wildcard
--- a/s3event/filter_test.go
+++ b/s3event/filter_test.go
@@ -0,0 +1,52 @@
+package s3event
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestFilterWildcardCreated(t *testing.T) {
+	filterString := `{"s3:ObjectCreated:*": true}`
+	strReader := strings.NewReader(filterString)
+
+	ef, err := parseEventFilters(strReader)
+	if err != nil {
+		t.Fatalf("failed to parse event filter: %v", err)
+	}
+
+	created := []string{
+		"s3:ObjectCreated:Put",
+		"s3:ObjectCreated:Post",
+		"s3:ObjectCreated:Copy",
+		"s3:ObjectCreated:CompleteMultipartUpload",
+	}
+
+	for _, event := range created {
+		allowed := ef.Filter(EventType(event))
+		if !allowed {
+			t.Errorf("expected event to be allowed: %s", event)
+		}
+	}
+}
+
+func TestFilterWildcardRemoved(t *testing.T) {
+	filterString := `{"s3:ObjectRemoved:*": true}`
+	strReader := strings.NewReader(filterString)
+
+	ef, err := parseEventFilters(strReader)
+	if err != nil {
+		t.Fatalf("failed to parse event filter: %v", err)
+	}
+
+	removed := []string{
+		"s3:ObjectRemoved:Delete",
+		"s3:ObjectRemoved:DeleteObjects",
+	}
+
+	for _, event := range removed {
+		allowed := ef.Filter(EventType(event))
+		if !allowed {
+			t.Errorf("expected event to be allowed: %s", event)
+		}
+	}
+}
--- a/tests/.env.default
+++ b/tests/.env.default
@@ -14,4 +14,7 @@ SECRETS_FILE=./tests/.secrets
 MC_ALIAS=versity
 LOG_LEVEL=2
 GOCOVERDIR=$PWD/cover
-USERS_FOLDER=$PWD/iam
+USERS_FOLDER=$PWD/iam
+#TEST_LOG_FILE=test.log
+#VERSITY_LOG_FILE=versity.log
+IAM_TYPE=folder
--- a/tests/commands/complete_multipart_upload.sh
+++ b/tests/commands/complete_multipart_upload.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+complete_multipart_upload() {
+  if [[ $# -ne 4 ]]; then
+    log 2 "'complete multipart upload' command requires bucket, key, upload ID, parts list"
+    return 1
+  fi
+  log 5 "complete multipart upload id: $3, parts: $4"
+  error=$(aws --no-verify-ssl s3api complete-multipart-upload --bucket "$1" --key "$2" --upload-id "$3" --multipart-upload '{"Parts": '"$4"'}' 2>&1) || local completed=$?
+  if [[ $completed -ne 0 ]]; then
+    log 2 "error completing multipart upload: $error"
+    return 1
+  fi
+  log 5 "complete multipart upload error: $error"
+  return 0
+}
--- a/tests/commands/copy_object.sh
+++ b/tests/commands/copy_object.sh
@@ -12,9 +12,10 @@ copy_object() {
  elif [[ $1 == 's3api' ]] || [[ $1 == 'aws' ]]; then
    error=$(aws --no-verify-ssl s3api copy-object --copy-source "$2" --bucket "$3" --key "$4" 2>&1) || exit_code=$?
  elif [[ $1 == 's3cmd' ]]; then
+    log 5 "s3cmd ${S3CMD_OPTS[*]} --no-check-certificate cp s3://$2 s3://$3/$4"
    error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate cp "s3://$2" s3://"$3/$4" 2>&1) || exit_code=$?
  elif [[ $1 == 'mc' ]]; then
-    error=$(mc --insecure cp "$2" "$MC_ALIAS/$3/$4" 2>&1) || exit_code=$?
+    error=$(mc --insecure cp "$MC_ALIAS/$2" "$MC_ALIAS/$3/$4" 2>&1) || exit_code=$?
  else
    echo "'copy-object' not implemented for '$1'"
    return 1
@@ -25,4 +26,17 @@ copy_object() {
    return 1
  fi
  return 0
-}
+}
+
+copy_object_empty() {
+  error=$(aws --no-verify-ssl s3api copy-object 2>&1) || local result=$?
+  if [[ $result -eq 0 ]]; then
+    log 2 "copy object with empty parameters returned no error"
+    return 1
+  fi
+  if [[ $error != *"the following arguments are required: --bucket, --copy-source, --key" ]]; then
+    log 2 "copy object with no params returned mismatching error: $error"
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/create_bucket.sh
+++ b/tests/commands/create_bucket.sh
@@ -5,26 +5,43 @@
 # return 0 for success, 1 for failure
 create_bucket() {
  if [ $# -ne 2 ]; then
-    echo "create bucket missing command type, bucket name"
+    log 2 "create bucket missing command type, bucket name"
    return 1
  fi

  local exit_code=0
  local error
+  log 6 "create bucket"
  if [[ $1 == 's3' ]]; then
    error=$(aws --no-verify-ssl s3 mb s3://"$2" 2>&1) || exit_code=$?
  elif [[ $1 == "aws" ]] || [[ $1 == 's3api' ]]; then
    error=$(aws --no-verify-ssl s3api create-bucket --bucket "$2" 2>&1) || exit_code=$?
  elif [[ $1 == "s3cmd" ]]; then
+    log 5 "s3cmd ${S3CMD_OPTS[*]} --no-check-certificate mb s3://$2"
    error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate mb s3://"$2" 2>&1) || exit_code=$?
  elif [[ $1 == "mc" ]]; then
    error=$(mc --insecure mb "$MC_ALIAS"/"$2" 2>&1) || exit_code=$?
  else
-    echo "invalid command type $1"
+    log 2 "invalid command type $1"
    return 1
  fi
  if [ $exit_code -ne 0 ]; then
-    echo "error creating bucket: $error"
+    log 2 "error creating bucket: $error"
+    return 1
+  fi
+  return 0
+}
+
+create_bucket_object_lock_enabled() {
+  if [ $# -ne 1 ]; then
+    log 2 "create bucket missing bucket name"
+    return 1
+  fi
+
+  local exit_code=0
+  error=$(aws --no-verify-ssl s3api create-bucket --bucket "$1" 2>&1 --object-lock-enabled-for-bucket) || local exit_code=$?
+  if [ $exit_code -ne 0 ]; then
+    log 2 "error creating bucket: $error"
    return 1
  fi
  return 0
--- a/tests/commands/create_multipart_upload.sh
+++ b/tests/commands/create_multipart_upload.sh
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+# initialize a multipart upload
+# params:  bucket, key
+# return 0 for success, 1 for failure
+create_multipart_upload() {
+  if [ $# -ne 2 ]; then
+    log 2 "create multipart upload function must have bucket, key"
+    return 1
+  fi
+
+  local multipart_data
+  multipart_data=$(aws --no-verify-ssl s3api create-multipart-upload --bucket "$1" --key "$2") || local created=$?
+  if [[ $created -ne 0 ]]; then
+    log 2 "Error creating multipart upload: $upload_id"
+    return 1
+  fi
+
+  upload_id=$(echo "$multipart_data" | jq '.UploadId')
+  upload_id="${upload_id//\"/}"
+  export upload_id
+}
+
+create_multipart_upload_params() {
+  if [ $# -ne 8 ]; then
+    log 2 "create multipart upload function with params must have bucket, key, content type, metadata, object lock legal hold status, " \
+      "object lock mode, object lock retain until date, and tagging"
+    return 1
+  fi
+  local multipart_data
+  multipart_data=$(aws --no-verify-ssl s3api create-multipart-upload \
+    --bucket "$1" \
+    --key "$2" \
+    --content-type "$3" \
+    --metadata "$4" \
+    --object-lock-legal-hold-status "$5" \
+    --object-lock-mode "$6" \
+    --object-lock-retain-until-date "$7" \
+    --tagging "$8" 2>&1) || local create_result=$?
+  if [[ $create_result -ne 0 ]]; then
+    log 2 "error creating multipart upload with params: $multipart_data"
+    return 1
+  fi
+  export multipart_data
+  upload_id=$(echo "$multipart_data" | grep -v "InsecureRequestWarning" | jq '.UploadId')
+  upload_id="${upload_id//\"/}"
+  export upload_id
+  return 0
+}
+
+create_multipart_upload_custom() {
+  if [ $# -lt 2 ]; then
+    log 2 "create multipart upload custom function must have at least bucket and key"
+    return 1
+  fi
+  local multipart_data
+  log 5 "additional create multipart params"
+  for i in "$@"; do
+    log 5 "$i"
+  done
+  log 5 "${*:3}"
+  log 5 "aws --no-verify-ssl s3api create-multipart-upload --bucket $1 --key $2 ${*:3}"
+  multipart_data=$(aws --no-verify-ssl s3api create-multipart-upload --bucket "$1" --key "$2" 2>&1) || local result=$?
+  if [[ $result -ne 0 ]]; then
+    log 2 "error creating custom multipart data command: $multipart_data"
+    return 1
+  fi
+  export multipart_data
+  log 5 "multipart data: $multipart_data"
+  upload_id=$(echo "$multipart_data" | grep -v "InsecureRequestWarning" | jq '.UploadId')
+  upload_id="${upload_id//\"/}"
+  log 5 "upload id: $upload_id"
+  export upload_id
+  return 0
+}
--- a/tests/commands/delete_bucket.sh
+++ b/tests/commands/delete_bucket.sh
@@ -5,7 +5,7 @@
 # return 0 for success, 1 for failure
 delete_bucket() {
  if [ $# -ne 2 ]; then
-    echo "delete bucket missing command type, bucket name"
+    log 2 "delete bucket missing command type, bucket name"
    return 1
  fi

@@ -20,14 +20,14 @@ delete_bucket() {
  elif [[ $1 == 'mc' ]]; then
    error=$(mc --insecure rb "$MC_ALIAS/$2" 2>&1) || exit_code=$?
  else
-    echo "Invalid command type $1"
+    log 2 "Invalid command type $1"
    return 1
  fi
  if [ $exit_code -ne 0 ]; then
    if [[ "$error" == *"The specified bucket does not exist"* ]]; then
      return 0
    else
-      echo "error deleting bucket: $error"
+      log 2 "error deleting bucket: $error"
      return 1
    fi
  fi
--- a/tests/commands/delete_bucket_policy.sh
+++ b/tests/commands/delete_bucket_policy.sh
@@ -2,21 +2,21 @@

 delete_bucket_policy() {
  if [[ $# -ne 2 ]]; then
-    echo "delete bucket policy command requires command type, bucket"
+    log 2 "delete bucket policy command requires command type, bucket"
    return 1
  fi
  if [[ $1 == 'aws' ]]; then
-    error=$(aws --no-verify-ssl s3api delete-bucket-policy --bucket "$2") || delete_result=$?
+    error=$(aws --no-verify-ssl s3api delete-bucket-policy --bucket "$2" 2>&1) || delete_result=$?
  elif [[ $1 == 's3cmd' ]]; then
-    error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate delpolicy "s3://$2") || delete_result=$?
+    error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate delpolicy "s3://$2" 2>&1) || delete_result=$?
  elif [[ $1 == 'mc' ]]; then
-    error=$(mc --insecure anonymous set none "$MC_ALIAS/$2") || delete_result=$?
+    error=$(mc --insecure anonymous set none "$MC_ALIAS/$2" 2>&1) || delete_result=$?
  else
-    echo "command 'get bucket policy' not implemented for '$1'"
+    log 2 "command 'get bucket policy' not implemented for '$1'"
    return 1
  fi
  if [[ $delete_result -ne 0 ]]; then
-    echo "error deleting bucket policy: $error"
+    log 2 "error deleting bucket policy: $error"
    return 1
  fi
  return 0
--- a/tests/commands/delete_object.sh
+++ b/tests/commands/delete_object.sh
@@ -2,25 +2,50 @@

 delete_object() {
  if [ $# -ne 3 ]; then
-    echo "delete object command requires command type, bucket, key"
+    log 2 "delete object command requires command type, bucket, key"
    return 1
  fi
  local exit_code=0
-  local error
  if [[ $1 == 's3' ]]; then
-    error=$(aws --no-verify-ssl s3 rm "s3://$2/$3" 2>&1) || exit_code=$?
+    delete_object_error=$(aws --no-verify-ssl s3 rm "s3://$2/$3" 2>&1) || exit_code=$?
  elif [[ $1 == 's3api' ]] || [[ $1 == 'aws' ]]; then
-    error=$(aws --no-verify-ssl s3api delete-object --bucket "$2" --key "$3" 2>&1) || exit_code=$?
+    delete_object_error=$(aws --no-verify-ssl s3api delete-object --bucket "$2" --key "$3" 2>&1) || exit_code=$?
  elif [[ $1 == 's3cmd' ]]; then
-    error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate rm "s3://$2/$3" 2>&1) || exit_code=$?
+    delete_object_error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate rm "s3://$2/$3" 2>&1) || exit_code=$?
  elif [[ $1 == 'mc' ]]; then
-    error=$(mc --insecure rm "$MC_ALIAS/$2/$3" 2>&1) || exit_code=$?
+    delete_object_error=$(mc --insecure rm "$MC_ALIAS/$2/$3" 2>&1) || exit_code=$?
  else
-    echo "invalid command type $1"
+    log 2 "invalid command type $1"
+    return 1
+  fi
+  log 5 "delete object exit code: $exit_code"
+  if [ $exit_code -ne 0 ]; then
+    log 2 "error deleting object: $delete_object_error"
+    export delete_object_error
+    return 1
+  fi
+  return 0
+}
+
+delete_object_with_user() {
+  if [ $# -ne 5 ]; then
+    log 2 "delete object with user command requires command type, bucket, key, access ID, secret key"
+    return 1
+  fi
+  local exit_code=0
+  if [[ $1 == 's3' ]]; then
+    delete_object_error=$(AWS_ACCESS_KEY_ID="$4" AWS_SECRET_ACCESS_KEY="$5" aws --no-verify-ssl s3 rm "s3://$2/$3" 2>&1) || exit_code=$?
+  elif [[ $1 == 's3api' ]] || [[ $1 == 'aws' ]]; then
+    delete_object_error=$(AWS_ACCESS_KEY_ID="$4" AWS_SECRET_ACCESS_KEY="$5" aws --no-verify-ssl s3api delete-object --bucket "$2" --key "$3" 2>&1) || exit_code=$?
+  elif [[ $1 == 's3cmd' ]]; then
+    delete_object_error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate rm --access_key="$4" --secret_key="$5" "s3://$2/$3" 2>&1) || exit_code=$?
+  else
+    log 2 "command 'delete object with user' not implemented for '$1'"
    return 1
  fi
  if [ $exit_code -ne 0 ]; then
-    echo "error deleting object: $error"
+    log 2 "error deleting object: $delete_object_error"
+    export delete_object_error
    return 1
  fi
  return 0
--- a/tests/commands/get_bucket_acl.sh
+++ b/tests/commands/get_bucket_acl.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+get_bucket_acl() {
+  if [ $# -ne 2 ]; then
+    log 2 "bucket ACL command missing command type, bucket name"
+    return 1
+  fi
+  local exit_code=0
+  if [[ $1 == 'aws' ]] || [[ $1 == 's3api' ]]; then
+    acl=$(aws --no-verify-ssl s3api get-bucket-acl --bucket "$2" 2>&1) || exit_code="$?"
+  elif [[ $1 == 's3cmd' ]]; then
+    acl=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate info "s3://$2" 2>&1) || exit_code="$?"
+  else
+    log 2 "command 'get bucket acl' not implemented for $1"
+    return 1
+  fi
+  if [ $exit_code -ne 0 ]; then
+    log 2 "Error getting bucket ACLs: $acl"
+    return 1
+  fi
+  export acl
+}
--- a/tests/commands/get_bucket_policy.sh
+++ b/tests/commands/get_bucket_policy.sh
@@ -30,9 +30,8 @@ get_bucket_policy_aws() {
    return 1
  fi
  policy_json=$(aws --no-verify-ssl s3api get-bucket-policy --bucket "$1" 2>&1) || get_result=$?
-  if [[ $policy_json == *"InsecureRequestWarning"* ]]; then
-    policy_json=$(awk 'NR>2' <<< "$policy_json")
-  fi
+  policy_json=$(echo "$policy_json" | grep -v "InsecureRequestWarning")
+  log 5 "$policy_json"
  if [[ $get_result -ne 0 ]]; then
    if [[ "$policy_json" == *"(NoSuchBucketPolicy)"* ]]; then
      bucket_policy=
@@ -41,7 +40,7 @@ get_bucket_policy_aws() {
      return 1
    fi
  else
-    bucket_policy=$(echo "{$policy_json}" | jq -r '.Policy')
+    bucket_policy=$(echo "$policy_json" | jq -r '.Policy')
  fi
  export bucket_policy
  return 0
--- a/tests/commands/get_bucket_versioning.sh
+++ b/tests/commands/get_bucket_versioning.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+get_bucket_versioning() {
+  if [[ $# -ne 2 ]]; then
+    log 2 "put bucket versioning command requires command type, bucket name"
+    return 1
+  fi
+  local get_result=0
+  if [[ $1 == 's3api' ]]; then
+    error=$(aws --no-verify-ssl s3api get-bucket-versioning --bucket "$2" 2>&1) || get_result=$?
+  fi
+  if [[ $get_result -ne 0 ]]; then
+    log 2 "error getting bucket versioning: $error"
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/get_object.sh
+++ b/tests/commands/get_object.sh
@@ -2,7 +2,7 @@

 get_object() {
  if [ $# -ne 4 ]; then
-    echo "get object command requires command type, bucket, key, destination"
+    log 2 "get object command requires command type, bucket, key, destination"
    return 1
  fi
  local exit_code=0
@@ -16,12 +16,25 @@ get_object() {
  elif [[ $1 == 'mc' ]]; then
    error=$(mc --insecure get "$MC_ALIAS/$2/$3" "$4" 2>&1) || exit_code=$?
  else
-    echo "'get object' command not implemented for '$1'"
+    log 2 "'get object' command not implemented for '$1'"
    return 1
  fi
  log 5 "get object exit code: $exit_code"
  if [ $exit_code -ne 0 ]; then
-    echo "error putting object into bucket: $error"
+    log 2 "error getting object: $error"
+    return 1
+  fi
+  return 0
+}
+
+get_object_with_range() {
+  if [[ $# -ne 4 ]]; then
+    log 2 "'get object with range' requires bucket, key, range, outfile"
+    return 1
+  fi
+  error=$(aws --no-verify-ssl s3api get-object --bucket "$1" --key "$2" --range "$3" "$4" 2>&1) || local exit_code=$?
+  if [[ $exit_code -ne 0 ]]; then
+    log 2 "error getting object with range: $error"
    return 1
  fi
  return 0
--- a/tests/commands/get_object_attributes.sh
+++ b/tests/commands/get_object_attributes.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+get_object_attributes() {
+  if [[ $# -ne 2 ]]; then
+    log 2 "'get object attributes' command requires bucket, key"
+    return 1
+  fi
+  attributes=$(aws --no-verify-ssl s3api get-object-attributes --bucket "$1" --key "$2" --object-attributes "ObjectSize" 2>&1) || local get_result=$?
+  if [[ $get_result -ne 0 ]]; then
+    log 2 "error getting object attributes: $attributes"
+    return 1
+  fi
+  attributes=$(echo "$attributes" | grep -v "InsecureRequestWarning")
+  log 5 "$attributes"
+  export attributes
+  return 0
+}
--- a/tests/commands/get_object_legal_hold.sh
+++ b/tests/commands/get_object_legal_hold.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+get_object_legal_hold() {
+  if [[ $# -ne 2 ]]; then
+    log 2 "'get object legal hold' command requires bucket, key"
+    return 1
+  fi
+  legal_hold=$(aws --no-verify-ssl s3api get-object-legal-hold --bucket "$1" --key "$2" 2>&1) || local get_result=$?
+  if [[ $get_result -ne 0 ]]; then
+    log 2 "error getting object legal hold: $legal_hold"
+    return 1
+  fi
+  export legal_hold
+  return 0
+}
--- a/tests/commands/get_object_lock_configuration.sh
+++ b/tests/commands/get_object_lock_configuration.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+get_object_lock_configuration() {
+  if [[ $# -ne 1 ]]; then
+    log 2 "'get object lock configuration' command missing bucket name"
+    return 1
+  fi
+  lock_config=$(aws --no-verify-ssl s3api get-object-lock-configuration --bucket "$1") || local get_result=$?
+  if [[ $get_result -ne 0 ]]; then
+    log 2 "error obtaining lock config: $lock_config"
+    return 1
+  fi
+  export lock_config
+  return 0
+}
--- a/tests/commands/get_object_retention.sh
+++ b/tests/commands/get_object_retention.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+get_object_retention() {
+  if [[ $# -ne 2 ]]; then
+    log 2 "'get object retention' command requires bucket, key"
+    return 1
+  fi
+  retention=$(aws --no-verify-ssl s3api get-object-retention --bucket "$1" --key "$2" 2>&1) || local get_result=$?
+  if [[ $get_result -ne 0 ]]; then
+    log 2 "error getting object retention: $retention"
+    return 1
+  fi
+  export retention
+  return 0
+}
--- a/tests/commands/get_object_tagging.sh
+++ b/tests/commands/get_object_tagging.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+get_object_tagging() {
+  if [ $# -ne 3 ]; then
+    log 2 "get object tag command missing command type, bucket, and/or key"
+    return 1
+  fi
+  local result
+  if [[ $1 == 'aws' ]]; then
+    tags=$(aws --no-verify-ssl s3api get-object-tagging --bucket "$2" --key "$3" 2>&1) || result=$?
+  elif [[ $1 == 'mc' ]]; then
+    tags=$(mc --insecure tag list "$MC_ALIAS"/"$2"/"$3" 2>&1) || result=$?
+  else
+    log 2 "invalid command type $1"
+    return 1
+  fi
+  if [[ $result -ne 0 ]]; then
+    if [[ "$tags" == *"NoSuchTagSet"* ]] || [[ "$tags" == *"No tags found"* ]]; then
+      tags=
+    else
+      log 2 "error getting object tags: $tags"
+      return 1
+    fi
+  else
+    log 5 "$tags"
+    tags=$(echo "$tags" | grep -v "InsecureRequestWarning")
+  fi
+  export tags
+}
--- a/tests/commands/head_object.sh
+++ b/tests/commands/head_object.sh
@@ -2,28 +2,29 @@

 head_object() {
  if [ $# -ne 3 ]; then
-    echo "head-object missing command, bucket name, object name"
+    log 2 "head-object missing command, bucket name, object name"
    return 2
  fi
  local exit_code=0
-  local error=""
  if [[ $1 == 'aws' ]] || [[ $1 == 's3api' ]] || [[ $1 == 's3' ]]; then
-    error=$(aws --no-verify-ssl s3api head-object --bucket "$2" --key "$3" 2>&1) || exit_code="$?"
+    metadata=$(aws --no-verify-ssl s3api head-object --bucket "$2" --key "$3" 2>&1) || exit_code="$?"
  elif [[ $1 == 's3cmd' ]]; then
-    error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate info s3://"$2/$3" 2>&1) || exit_code="$?"
+    metadata=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate info s3://"$2/$3" 2>&1) || exit_code="$?"
  elif [[ $1 == 'mc' ]]; then
-    error=$(mc --insecure stat "$MC_ALIAS/$2/$3" 2>&1) || exit_code=$?
+    metadata=$(mc --insecure stat "$MC_ALIAS/$2/$3" 2>&1) || exit_code=$?
  else
-    echo "invalid command type $1"
+    log 2 "invalid command type $1"
    return 2
  fi
  if [ $exit_code -ne 0 ]; then
-    if [[ "$error" == *"404"* ]] || [[ "$error" == *"does not exist"* ]]; then
+    if [[ "$metadata" == *"404"* ]] || [[ "$metadata" == *"does not exist"* ]]; then
+      log 5 "file doesn't exist ($metadata)"
      return 1
    else
-      echo "error checking if object exists: $error"
+      log 2 "error checking if object exists: $metadata"
      return 2
    fi
  fi
+  export metadata
  return 0
 }
--- a/tests/commands/list_buckets.sh
+++ b/tests/commands/list_buckets.sh
@@ -7,7 +7,6 @@ list_buckets() {
  fi

  local exit_code=0
-  local error
  if [[ $1 == 's3' ]]; then
    buckets=$(aws --no-verify-ssl s3 ls 2>&1 s3://) || exit_code=$?
  elif [[ $1 == 's3api' ]] || [[ $1 == 'aws' ]]; then
--- a/tests/commands/list_object_versions.sh
+++ b/tests/commands/list_object_versions.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+list_object_versions() {
+  if [[ $# -ne 1 ]]; then
+    log 2 "'list object versions' command requires bucket name"
+    return 1
+  fi
+  versions=$(aws --no-verify-ssl s3api list-object-versions --bucket "$1") || local list_result=$?
+  if [[ $list_result -ne 0 ]]; then
+    log 2 "error listing object versions: $versions"
+    return 1
+  fi
+  export versions
+  return 0
+}
--- a/tests/commands/list_objects.sh
+++ b/tests/commands/list_objects.sh
@@ -58,8 +58,13 @@ list_objects_s3api() {
  done <<< "$output"

  object_array=()
-  keys=$(jq -r '.Contents[].Key' <<<"$modified_output")
-  IFS=$'\n' read -rd '' -a object_array <<<"$keys"
+  log 5 "modified output: $modified_output"
+  if echo "$modified_output" | jq -e 'has("Contents")'; then
+    contents=$(echo "$modified_output" | jq -r '.Contents[]')
+    log 5 "contents: $contents"
+    keys=$(echo "$contents" | jq -r '.Key')
+    IFS=$'\n' read -rd '' -a object_array <<<"$keys"
+  fi

  export object_array
 }
--- a/tests/commands/put_bucket_acl.sh
+++ b/tests/commands/put_bucket_acl.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+put_bucket_acl() {
+  if [[ $# -ne 3 ]]; then
+    log 2 "put bucket acl command requires command type, bucket name, acls"
+    return 1
+  fi
+  local error=""
+  local put_result=0
+  if [[ $1 == 's3api' ]]; then
+    log 5 "bucket name: $2, acls: $3"
+    error=$(aws --no-verify-ssl s3api put-bucket-acl --bucket "$2" --access-control-policy "file://$3" 2>&1) || put_result=$?
+  elif [[ $1 == 's3cmd' ]]; then
+    error=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate setacl "s3://$2" --acl-grant=read:ABCDEFG 2>&1) || put_result=$?
+  else
+    log 2 "put_bucket_acl not implemented for '$1'"
+    return 1
+  fi
+  if [[ $put_result -ne 0 ]]; then
+    log 2 "error putting bucket acl: $error"
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/put_bucket_policy.sh
+++ b/tests/commands/put_bucket_policy.sh
@@ -2,21 +2,21 @@

 put_bucket_policy() {
  if [[ $# -ne 3 ]]; then
-    echo "get bucket policy command requires command type, bucket, policy file"
+    log 2 "get bucket policy command requires command type, bucket, policy file"
    return 1
  fi
-  if [[ $1 == 'aws' ]]; then
-    policy=$(aws --no-verify-ssl s3api put-bucket-policy --bucket "$2" --policy "file://$3") || get_result=$?
+  if [[ $1 == 'aws' ]] || [[ $1 == 's3api' ]]; then
+    policy=$(aws --no-verify-ssl s3api put-bucket-policy --bucket "$2" --policy "file://$3" 2>&1) || put_result=$?
  elif [[ $1 == 's3cmd' ]]; then
-    policy=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate setpolicy "$3" "s3://$2") || get_result=$?
+    policy=$(s3cmd "${S3CMD_OPTS[@]}" --no-check-certificate setpolicy "$3" "s3://$2" 2>&1) || put_result=$?
  elif [[ $1 == 'mc' ]]; then
-    policy=$(mc --insecure anonymous set-json "$3" "$MC_ALIAS/$2")
+    policy=$(mc --insecure anonymous set-json "$3" "$MC_ALIAS/$2" 2>&1) || put_result=$?
  else
-    echo "command 'put bucket policy' not implemented for '$1'"
+    log 2 "command 'put bucket policy' not implemented for '$1'"
    return 1
  fi
-  if [[ $get_result -ne 0 ]]; then
-    echo "error putting policy: $policy"
+  if [[ $put_result -ne 0 ]]; then
+    log 2 "error putting policy: $policy"
    return 1
  fi
  return 0
--- a/tests/commands/put_bucket_versioning.sh
+++ b/tests/commands/put_bucket_versioning.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+put_bucket_versioning() {
+  if [[ $# -ne 3 ]]; then
+    log 2 "put bucket versioning command requires command type, bucket name, 'Enabled' or 'Suspended'"
+    return 1
+  fi
+  local put_result=0
+  if [[ $1 == 's3api' ]]; then
+    error=$(aws --no-verify-ssl s3api put-bucket-versioning --bucket "$2" --versioning-configuration "{ \"Status\": \"$3\"}" 2>&1) || put_result=$?
+  fi
+  if [[ $put_result -ne 0 ]]; then
+    log 2 "error putting bucket versioning: $error"
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/put_object.sh
+++ b/tests/commands/put_object.sh
@@ -2,7 +2,7 @@

 put_object() {
  if [ $# -ne 4 ]; then
-    echo "put object command requires command type, source, destination bucket, destination key"
+    log 2 "put object command requires command type, source, destination bucket, destination key"
    return 1
  fi
  local exit_code=0
@@ -16,13 +16,34 @@ put_object() {
  elif [[ $1 == 'mc' ]]; then
    error=$(mc --insecure put "$2" "$MC_ALIAS/$3/$4" 2>&1) || exit_code=$?
  else
-    echo "'put object' command not implemented for '$1'"
+    log 2 "'put object' command not implemented for '$1'"
    return 1
  fi
  log 5 "put object exit code: $exit_code"
  if [ $exit_code -ne 0 ]; then
-    echo "error putting object into bucket: $error"
+    log 2 "error putting object into bucket: $error"
    return 1
  fi
  return 0
-}
+}
+
+put_object_with_user() {
+  if [ $# -ne 6 ]; then
+    log 2 "put object command requires command type, source, destination bucket, destination key, aws ID, aws secret key"
+    return 1
+  fi
+  local exit_code=0
+  if [[ $1 == 's3api' ]] || [[ $1 == 'aws' ]]; then
+    put_object_error=$(AWS_ACCESS_KEY_ID="$5" AWS_SECRET_ACCESS_KEY="$6" aws --no-verify-ssl s3api put-object --body "$2" --bucket "$3" --key "$4" 2>&1) || exit_code=$?
+  else
+    log 2 "'put object with user' command not implemented for '$1'"
+    return 1
+  fi
+  log 5 "put object exit code: $exit_code"
+  if [ $exit_code -ne 0 ]; then
+    log 2 "error putting object into bucket: $put_object_error"
+    export put_object_error
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/put_object_legal_hold.sh
+++ b/tests/commands/put_object_legal_hold.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+put_object_legal_hold() {
+  if [[ $# -ne 3 ]]; then
+    log 2 "'put object legal hold' command requires bucket, key, hold status ('ON' or 'OFF')"
+    return 1
+  fi
+  local error=""
+  error=$(aws --no-verify-ssl s3api put-object-legal-hold --bucket "$1" --key "$2" --legal-hold "{\"Status\": \"$3\"}" 2>&1) || local put_hold_result=$?
+  if [[ $put_hold_result -ne 0 ]]; then
+    log 2 "error putting object legal hold: $error"
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/put_object_retention.sh
+++ b/tests/commands/put_object_retention.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+put_object_retention() {
+  if [[ $# -ne 4 ]]; then
+    log 2 "'put object retention' command requires bucket, key, retention mode, retention date"
+    return 1
+  fi
+  error=$(aws --no-verify-ssl s3api put-object-retention --bucket "$1" --key "$2" --retention "{\"Mode\": \"$3\", \"RetainUntilDate\": \"$4\"}" 2>&1) || local put_result=$?
+  if [[ $put_result -ne 0 ]]; then
+    log 2 "error putting object retention:  $error"
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/select_object_content.sh
+++ b/tests/commands/select_object_content.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+select_object_content() {
+  if [[ $# -ne 7 ]]; then
+    log 2 "'select object content' command requires bucket, key, expression, expression type, input serialization, output serialization, outfile"
+    return 1
+  fi
+  error=$(aws --no-verify-ssl s3api select-object-content \
+    --bucket "$1" \
+    --key "$2" \
+    --expression "$3" \
+    --expression-type "$4" \
+    --input-serialization "$5" \
+    --output-serialization "$6" "$7" 2>&1) || local select_result=$?
+  if [[ $select_result -ne 0 ]]; then
+    log 2 "error selecting object content: $error"
+    return 1
+  fi
+  return 0
+}
--- a/tests/commands/upload_part_copy.sh
+++ b/tests/commands/upload_part_copy.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+upload_part_copy() {
+  if [ $# -ne 5 ]; then
+    echo "upload multipart part copy function must have bucket, key, upload ID, file name, part number"
+    return 1
+  fi
+  local etag_json
+  echo "$1 $2 $3 $4 $5"
+  etag_json=$(aws --no-verify-ssl s3api upload-part-copy --bucket "$1" --key "$2" --upload-id "$3" --part-number "$5" --copy-source "$1/$4-$(($5-1))") || local uploaded=$?
+  if [[ $uploaded -ne 0 ]]; then
+    echo "Error uploading part $5: $etag_json"
+    return 1
+  fi
+  etag=$(echo "$etag_json" | jq '.CopyPartResult.ETag')
+  export etag
+}
+
+upload_part_copy_with_range() {
+  if [ $# -ne 6 ]; then
+    log 2 "upload multipart part copy function must have bucket, key, upload ID, file name, part number, range"
+    return 1
+  fi
+  local etag_json
+  log 5 "bucket: $1, key: $2, upload ID: $3, file name: $4, range: $5, copy source range: $6"
+  etag_json=$(aws --no-verify-ssl s3api upload-part-copy --bucket "$1" --key "$2" --upload-id "$3" --part-number "$5" --copy-source "$1/$4-$(($5-1))" --copy-source-range "$6" 2>&1) || local uploaded=$?
+  if [[ $uploaded -ne 0 ]]; then
+    log 2 "Error uploading part $5: $etag_json"
+    export upload_part_copy_error=$etag_json
+    return 1
+  fi
+  etag=$(echo "$etag_json" | grep -v "InsecureRequestWarning" | jq '.CopyPartResult.ETag')
+  export etag
+}
--- a/tests/env.sh
+++ b/tests/env.sh
@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+
+check_env_vars() {
+  if ! check_universal_vars; then
+    log 2 "error checking universal params"
+    return 1
+  fi
+  if [[ $RUN_VERSITYGW == "true" ]]; then
+    if ! check_versity_vars; then
+      log 2 "error checking versity params"
+      return 1
+    fi
+  fi
+  if [[ $RUN_S3CMD == "true" ]]; then
+    if [[ -z "$S3CMD_CONFIG" ]]; then
+      log 2 "running s3cmd commands requires S3CMD_CONFIG param"
+      return 1
+    fi
+    export S3CMD_CONFIG
+  fi
+  if [[ $RUN_MC == "true" ]]; then
+    if [ -z "$MC_ALIAS" ]; then
+      log 2 "running mc tests requires MC_ALIAS param"
+      return 1
+    fi
+    export MC_ALIAS
+  fi
+  return 0
+}
+
+check_universal_vars() {
+  if [ -z "$VERSITYGW_TEST_ENV" ]; then
+    if [ -r tests/.env ]; then
+      source tests/.env
+    else
+      log 3 "Warning: no .env file found in tests folder"
+    fi
+  elif [[ $BYPASS_ENV_FILE != "true" ]]; then
+    # shellcheck source=./tests/.env.default
+    source "$VERSITYGW_TEST_ENV"
+  fi
+  if [ "$GITHUB_ACTIONS" != "true" ] && [ -r "$SECRETS_FILE" ]; then
+    # shellcheck source=./tests/.secrets
+    source "$SECRETS_FILE"
+  else
+    log 3 "Warning: no secrets file found"
+  fi
+  if [[ -n "$LOG_LEVEL" ]]; then
+    export LOG_LEVEL_INT=$LOG_LEVEL
+  fi
+  if [ -z "$AWS_ACCESS_KEY_ID" ]; then
+    log 2 "No AWS access key set"
+    return 1
+  elif [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    log 2 "No AWS secret access key set"
+    return 1
+  elif [ -z "$AWS_PROFILE" ]; then
+    log 2 "No AWS profile set"
+    return 1
+  elif [ -z "$AWS_ENDPOINT_URL" ]; then
+    log 2 "No AWS endpoint URL set"
+    return 1
+  elif [[ $RUN_VERSITYGW != "true" ]] && [[ $RUN_VERSITYGW != "false" ]]; then
+    log 2 "RUN_VERSITYGW must be 'true' or 'false'"
+    return 1
+  elif [ -z "$BUCKET_ONE_NAME" ]; then
+    log 2 "No bucket one name set"
+    return 1
+  elif [ -z "$BUCKET_TWO_NAME" ]; then
+    log 2 "No bucket two name set"
+    return 1
+  elif [ -z "$RECREATE_BUCKETS" ]; then
+    log 2 "No recreate buckets parameter set"
+    return 1
+  elif [[ $RECREATE_BUCKETS != "true" ]] && [[ $RECREATE_BUCKETS != "false" ]]; then
+    log 2 "RECREATE_BUCKETS must be 'true' or 'false'"
+    return 1
+  fi
+  export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_PROFILE AWS_ENDPOINT_URL RUN_VERSITYGW \
+    BUCKET_ONE_NAME BUCKET_TWO_NAME RECREATE_BUCKETS
+  if [[ -n "$TEST_LOG_FILE" ]]; then
+    export TEST_LOG_FILE
+  fi
+  if [[ -n "$VERSITY_LOG_FILE" ]]; then
+    export VERSITY_LOG_FILE
+  fi
+}
+
+check_versity_vars() {
+  if [ -z "$LOCAL_FOLDER" ]; then
+    log 2 "No local storage folder set"
+    return 1
+  elif [ -z "$VERSITY_EXE" ]; then
+    log 2 "No versity executable location set"
+    return 1
+  elif [ -z "$BACKEND" ]; then
+    log 2 "No backend parameter set (options: 'posix', 's3')"
+    return 1
+  fi
+  export LOCAL_FOLDER VERSITY_EXE BACKEND
+  if [ "$BACKEND" == 's3' ]; then
+    if [ -z "$AWS_ACCESS_KEY_ID_TWO" ]; then
+      log 2 "missing second AWS access key ID for s3 backend"
+      return 1
+    fi
+    if [ -z "$AWS_SECRET_ACCESS_KEY_TWO" ]; then
+      log 2 "missing second AWS secret access key for s3 backend"
+      return 1
+    fi
+    export AWS_ACCESS_KEY_ID_TWO AWS_SECRET_ACCESS_KEY_TWO
+  fi
+  if [[ -r $GOCOVERDIR ]]; then
+    export GOCOVERDIR=$GOCOVERDIR
+  fi
+  if [[ $RUN_USERS == "true" ]]; then
+    if ! check_user_vars; then
+      log 2 "error setting user vars"
+      return 1
+    fi
+  fi
+}
+
+check_user_vars() {
+  if [[ -z "$IAM_TYPE" ]]; then
+    export IAM_TYPE="folder"
+  fi
+  if [[ "$IAM_TYPE" == "folder" ]]; then
+    if [[ -z "$USERS_FOLDER" ]]; then
+      log 2 "if IAM type is folder (or not set), USERS_FOLDER parameter is required"
+      return 1
+    fi
+    if [ ! -d "$USERS_FOLDER" ]; then
+      if mkdir_error=$(mkdir "$USERS_FOLDER" 2>&1); then
+        log 2 "error creating users folder: $mkdir_error"
+        return 1
+      fi
+    fi
+    IAM_PARAMS="--iam-dir=$USERS_FOLDER"
+    export IAM_PARAMS
+    return 0
+  fi
+  if [[ $IAM_TYPE == "s3" ]]; then
+    if [[ -z "$USERS_BUCKET" ]]; then
+      log 2 "if IAM type is s3, USERS_BUCKET is required"
+      return 1
+    fi
+    IAM_PARAMS="--s3-iam-access $AWS_ACCESS_KEY_ID --s3-iam-secret $AWS_SECRET_ACCESS_KEY \
+      --s3-iam-region us-east-1 --s3-iam-bucket $USERS_BUCKET --s3-iam-endpoint $AWS_ENDPOINT_URL \
+      --s3-iam-noverify"
+    export IAM_PARAMS
+    return 0
+  fi
+  log 2 "unrecognized IAM_TYPE value: $IAM_TYPE"
+  return 1
+}
--- a/tests/iam.sh
+++ b/tests/iam.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+get_iam_parameters() {
+  if [[ -z "$IAM_TYPE" ]]; then
+    export IAM_TYPE="folder"
+  fi
+  if [[ "$IAM_TYPE" == "folder" ]]; then
+    if [[ -z "$USERS_FOLDER" ]]; then
+      log 2 "if IAM type is folder (or not set), USERS_FOLDER parameter is required"
+      return 1
+    fi
+    if [ ! -d "$USERS_FOLDER" ]; then
+      if mkdir_error=$(mkdir "$USERS_FOLDER" 2>&1); then
+        log 2 "error creating users folder: $mkdir_error"
+        return 1
+      fi
+    fi
+    iam_params="--iam-dir=$USERS_FOLDER"
+    export iam_params
+    return 0
+  fi
+  if [[ $IAM_TYPE == "s3" ]]; then
+    if [[ -z "$USERS_BUCKET" ]]; then
+      log 2 "if IAM type is s3, USERS_BUCKET is required"
+      return 1
+    fi
+    log 4 "$USERS_BUCKET"
+    if ! bucket_exists "s3api" "$USERS_BUCKET"; then
+      log 4 "bucket doesn't exist"
+      if [[ $? == 2 ]]; then
+        log 2 "error checking if users bucket exists"
+        return 1
+      fi
+      if ! create_bucket "s3api" "$USERS_BUCKET"; then
+        log 2 "error creating bucket"
+        return 1
+      fi
+      log 4 "bucket create successful"
+    else
+      log 4 "bucket exists"
+    fi
+    iam_params="--s3-iam-access $AWS_ACCESS_KEY_ID --s3-iam-secret $AWS_SECRET_ACCESS_KEY \
+      --s3-iam-region us-east-1 --s3-iam-bucket $USERS_BUCKET --s3-iam-endpoint $AWS_ENDPOINT_URL \
+      --s3-iam-noverify"
+    export iam_params
+    return 0
+  fi
+  log 2 "unrecognized IAM_TYPE value: $IAM_TYPE"
+  return 1
+}
--- a/tests/integration/bench.go
+++ b/tests/integration/bench.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package integration

 import (
--- a/tests/integration/data-io.go
+++ b/tests/integration/data-io.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package integration

 import (
--- a/tests/integration/group-tests.go
+++ b/tests/integration/group-tests.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package integration

 func TestAuthentication(s *S3Conf) {
@@ -50,6 +64,7 @@ func TestPresignedAuthentication(s *S3Conf) {
 func TestCreateBucket(s *S3Conf) {
 	CreateBucket_invalid_bucket_name(s)
 	CreateBucket_existing_bucket(s)
+	CreateBucket_owned_by_you(s)
 	CreateBucket_as_user(s)
 	CreateBucket_default_acl(s)
 	CreateBucket_non_default_acl(s)
@@ -104,6 +119,9 @@ func TestPutObject(s *S3Conf) {

 func TestHeadObject(s *S3Conf) {
 	HeadObject_non_existing_object(s)
+	HeadObject_invalid_part_number(s)
+	HeadObject_non_existing_mp(s)
+	HeadObject_mp_success(s)
 	HeadObject_success(s)
 }

@@ -121,6 +139,7 @@ func TestGetObject(s *S3Conf) {
 	GetObject_with_meta(s)
 	GetObject_success(s)
 	GetObject_by_range_success(s)
+	GetObject_by_range_resp_status(s)
 }

 func TestListObjects(s *S3Conf) {
@@ -181,6 +200,14 @@ func TestDeleteObjectTagging(s *S3Conf) {

 func TestCreateMultipartUpload(s *S3Conf) {
 	CreateMultipartUpload_non_existing_bucket(s)
+	CreateMultipartUpload_with_metadata(s)
+	CreateMultipartUpload_with_invalid_tagging(s)
+	CreateMultipartUpload_with_tagging(s)
+	CreateMultipartUpload_with_content_type(s)
+	CreateMultipartUpload_with_object_lock(s)
+	CreateMultipartUpload_with_object_lock_not_enabled(s)
+	CreateMultipartUpload_with_object_lock_invalid_retention(s)
+	CreateMultipartUpload_past_retain_until_date(s)
 	CreateMultipartUpload_success(s)
 }

@@ -243,6 +270,7 @@ func TestPutBucketAcl(s *S3Conf) {
 	PutBucketAcl_invalid_acl_canned_and_grants(s)
 	PutBucketAcl_invalid_acl_acp_and_grants(s)
 	PutBucketAcl_invalid_owner(s)
+	PutBucketAcl_invalid_owner_not_in_body(s)
 	PutBucketAcl_success_access_denied(s)
 	PutBucketAcl_success_grants(s)
 	PutBucketAcl_success_canned_acl(s)
@@ -265,6 +293,8 @@ func TestPutBucketPolicy(s *S3Conf) {
 	PutBucketPolicy_incorrect_action_wildcard_usage(s)
 	PutBucketPolicy_empty_principals_string(s)
 	PutBucketPolicy_empty_principals_array(s)
+	PutBucketPolicy_principals_aws_struct_empty_string(s)
+	PutBucketPolicy_principals_aws_struct_empty_string_slice(s)
 	PutBucketPolicy_principals_incorrect_wildcard_usage(s)
 	PutBucketPolicy_non_existing_principals(s)
 	PutBucketPolicy_empty_resources_string(s)
@@ -293,7 +323,11 @@ func TestDeleteBucketPolicy(s *S3Conf) {
 func TestPutObjectLockConfiguration(s *S3Conf) {
 	PutObjectLockConfiguration_non_existing_bucket(s)
 	PutObjectLockConfiguration_empty_config(s)
+	PutObjectLockConfiguration_not_enabled_on_bucket_creation(s)
+	PutObjectLockConfiguration_invalid_status(s)
+	PutObjectLockConfiguration_invalid_mode(s)
 	PutObjectLockConfiguration_both_years_and_days(s)
+	PutObjectLockConfiguration_invalid_years_days(s)
 	PutObjectLockConfiguration_success(s)
 }

@@ -309,6 +343,10 @@ func TestPutObjectRetention(s *S3Conf) {
 	PutObjectRetention_unset_bucket_object_lock_config(s)
 	PutObjectRetention_disabled_bucket_object_lock_config(s)
 	PutObjectRetention_expired_retain_until_date(s)
+	PutObjectRetention_invalid_mode(s)
+	PutObjectRetention_overwrite_compliance_mode(s)
+	PutObjectRetention_overwrite_governance_without_bypass_specified(s)
+	PutObjectRetention_overwrite_governance_with_permission(s)
 	PutObjectRetention_success(s)
 }

@@ -323,6 +361,7 @@ func TestPutObjectLegalHold(s *S3Conf) {
 	PutObjectLegalHold_non_existing_bucket(s)
 	PutObjectLegalHold_non_existing_object(s)
 	PutObjectLegalHold_invalid_body(s)
+	PutObjectLegalHold_invalid_status(s)
 	PutObjectLegalHold_unset_bucket_object_lock_config(s)
 	PutObjectLegalHold_disabled_bucket_object_lock_config(s)
 	PutObjectLegalHold_success(s)
@@ -337,12 +376,14 @@ func TestGetObjectLegalHold(s *S3Conf) {

 func TestWORMProtection(s *S3Conf) {
 	WORMProtection_bucket_object_lock_configuration_compliance_mode(s)
-	WORMProtection_bucket_object_lock_governance_root_overwrite(s)
-	WORMProtection_object_lock_retention_compliance_root_access_denied(s)
-	WORMProtection_object_lock_retention_governance_root_overwrite(s)
-	WORMProtection_object_lock_retention_governance_user_access_denied(s)
-	WORMProtection_object_lock_legal_hold_user_access_denied(s)
-	WORMProtection_object_lock_legal_hold_root_overwrite(s)
+	WORMProtection_bucket_object_lock_configuration_governance_mode(s)
+	WORMProtection_bucket_object_lock_governance_bypass_delete(s)
+	WORMProtection_object_lock_retention_compliance_locked(s)
+	WORMProtection_object_lock_retention_governance_locked(s)
+	WORMProtection_object_lock_retention_governance_bypass_overwrite(s)
+	WORMProtection_object_lock_retention_governance_bypass_delete(s)
+	WORMProtection_object_lock_retention_governance_bypass_delete_mul(s)
+	WORMProtection_object_lock_legal_hold_locked(s)
 }

 func TestFullFlow(s *S3Conf) {
@@ -416,237 +457,265 @@ type IntTests map[string]func(s *S3Conf) error

 func GetIntTests() IntTests {
 	return IntTests{
-		"Authentication_empty_auth_header":                                   Authentication_empty_auth_header,
-		"Authentication_invalid_auth_header":                                 Authentication_invalid_auth_header,
-		"Authentication_unsupported_signature_version":                       Authentication_unsupported_signature_version,
-		"Authentication_malformed_credentials":                               Authentication_malformed_credentials,
-		"Authentication_malformed_credentials_invalid_parts":                 Authentication_malformed_credentials_invalid_parts,
-		"Authentication_credentials_terminated_string":                       Authentication_credentials_terminated_string,
-		"Authentication_credentials_incorrect_service":                       Authentication_credentials_incorrect_service,
-		"Authentication_credentials_incorrect_region":                        Authentication_credentials_incorrect_region,
-		"Authentication_credentials_invalid_date":                            Authentication_credentials_invalid_date,
-		"Authentication_credentials_future_date":                             Authentication_credentials_future_date,
-		"Authentication_credentials_past_date":                               Authentication_credentials_past_date,
-		"Authentication_credentials_non_existing_access_key":                 Authentication_credentials_non_existing_access_key,
-		"Authentication_invalid_signed_headers":                              Authentication_invalid_signed_headers,
-		"Authentication_missing_date_header":                                 Authentication_missing_date_header,
-		"Authentication_invalid_date_header":                                 Authentication_invalid_date_header,
-		"Authentication_date_mismatch":                                       Authentication_date_mismatch,
-		"Authentication_incorrect_payload_hash":                              Authentication_incorrect_payload_hash,
-		"Authentication_incorrect_md5":                                       Authentication_incorrect_md5,
-		"Authentication_signature_error_incorrect_secret_key":                Authentication_signature_error_incorrect_secret_key,
-		"PresignedAuth_missing_algo_query_param":                             PresignedAuth_missing_algo_query_param,
-		"PresignedAuth_unsupported_algorithm":                                PresignedAuth_unsupported_algorithm,
-		"PresignedAuth_missing_credentials_query_param":                      PresignedAuth_missing_credentials_query_param,
-		"PresignedAuth_malformed_creds_invalid_parts":                        PresignedAuth_malformed_creds_invalid_parts,
-		"PresignedAuth_creds_invalid_terminator":                             PresignedAuth_creds_invalid_terminator,
-		"PresignedAuth_creds_incorrect_service":                              PresignedAuth_creds_incorrect_service,
-		"PresignedAuth_creds_incorrect_region":                               PresignedAuth_creds_incorrect_region,
-		"PresignedAuth_creds_invalid_date":                                   PresignedAuth_creds_invalid_date,
-		"PresignedAuth_missing_date_query":                                   PresignedAuth_missing_date_query,
-		"PresignedAuth_dates_mismatch":                                       PresignedAuth_dates_mismatch,
-		"PresignedAuth_non_existing_access_key_id":                           PresignedAuth_non_existing_access_key_id,
-		"PresignedAuth_missing_signed_headers_query_param":                   PresignedAuth_missing_signed_headers_query_param,
-		"PresignedAuth_missing_expiration_query_param":                       PresignedAuth_missing_expiration_query_param,
-		"PresignedAuth_invalid_expiration_query_param":                       PresignedAuth_invalid_expiration_query_param,
-		"PresignedAuth_negative_expiration_query_param":                      PresignedAuth_negative_expiration_query_param,
-		"PresignedAuth_exceeding_expiration_query_param":                     PresignedAuth_exceeding_expiration_query_param,
-		"PresignedAuth_expired_request":                                      PresignedAuth_expired_request,
-		"PresignedAuth_incorrect_secret_key":                                 PresignedAuth_incorrect_secret_key,
-		"PresignedAuth_PutObject_success":                                    PresignedAuth_PutObject_success,
-		"PutObject_missing_object_lock_retention_config":                     PutObject_missing_object_lock_retention_config,
-		"PutObject_with_object_lock":                                         PutObject_with_object_lock,
-		"PresignedAuth_Put_GetObject_with_data":                              PresignedAuth_Put_GetObject_with_data,
-		"PresignedAuth_Put_GetObject_with_UTF8_chars":                        PresignedAuth_Put_GetObject_with_UTF8_chars,
-		"PresignedAuth_UploadPart":                                           PresignedAuth_UploadPart,
-		"CreateBucket_invalid_bucket_name":                                   CreateBucket_invalid_bucket_name,
-		"CreateBucket_existing_bucket":                                       CreateBucket_existing_bucket,
-		"CreateBucket_as_user":                                               CreateBucket_as_user,
-		"CreateDeleteBucket_success":                                         CreateDeleteBucket_success,
-		"CreateBucket_default_acl":                                           CreateBucket_default_acl,
-		"CreateBucket_non_default_acl":                                       CreateBucket_non_default_acl,
-		"CreateBucket_default_object_lock":                                   CreateBucket_default_object_lock,
-		"HeadBucket_non_existing_bucket":                                     HeadBucket_non_existing_bucket,
-		"HeadBucket_success":                                                 HeadBucket_success,
-		"ListBuckets_as_user":                                                ListBuckets_as_user,
-		"ListBuckets_as_admin":                                               ListBuckets_as_admin,
-		"ListBuckets_success":                                                ListBuckets_success,
-		"DeleteBucket_non_existing_bucket":                                   DeleteBucket_non_existing_bucket,
-		"DeleteBucket_non_empty_bucket":                                      DeleteBucket_non_empty_bucket,
-		"DeleteBucket_success_status_code":                                   DeleteBucket_success_status_code,
-		"PutBucketTagging_non_existing_bucket":                               PutBucketTagging_non_existing_bucket,
-		"PutBucketTagging_long_tags":                                         PutBucketTagging_long_tags,
-		"PutBucketTagging_success":                                           PutBucketTagging_success,
-		"GetBucketTagging_non_existing_bucket":                               GetBucketTagging_non_existing_bucket,
-		"GetBucketTagging_unset_tags":                                        GetBucketTagging_unset_tags,
-		"GetBucketTagging_success":                                           GetBucketTagging_success,
-		"DeleteBucketTagging_non_existing_object":                            DeleteBucketTagging_non_existing_object,
-		"DeleteBucketTagging_success_status":                                 DeleteBucketTagging_success_status,
-		"DeleteBucketTagging_success":                                        DeleteBucketTagging_success,
-		"PutObject_non_existing_bucket":                                      PutObject_non_existing_bucket,
-		"PutObject_special_chars":                                            PutObject_special_chars,
-		"PutObject_invalid_long_tags":                                        PutObject_invalid_long_tags,
-		"PutObject_success":                                                  PutObject_success,
-		"HeadObject_non_existing_object":                                     HeadObject_non_existing_object,
-		"HeadObject_success":                                                 HeadObject_success,
-		"GetObjectAttributes_non_existing_bucket":                            GetObjectAttributes_non_existing_bucket,
-		"GetObjectAttributes_non_existing_object":                            GetObjectAttributes_non_existing_object,
-		"GetObjectAttributes_existing_object":                                GetObjectAttributes_existing_object,
-		"GetObjectAttributes_multipart_upload":                               GetObjectAttributes_multipart_upload,
-		"GetObjectAttributes_multipart_upload_truncated":                     GetObjectAttributes_multipart_upload_truncated,
-		"GetObject_non_existing_key":                                         GetObject_non_existing_key,
-		"GetObject_invalid_ranges":                                           GetObject_invalid_ranges,
-		"GetObject_with_meta":                                                GetObject_with_meta,
-		"GetObject_success":                                                  GetObject_success,
-		"GetObject_by_range_success":                                         GetObject_by_range_success,
-		"ListObjects_non_existing_bucket":                                    ListObjects_non_existing_bucket,
-		"ListObjects_with_prefix":                                            ListObjects_with_prefix,
-		"ListObject_truncated":                                               ListObject_truncated,
-		"ListObjects_invalid_max_keys":                                       ListObjects_invalid_max_keys,
-		"ListObjects_max_keys_0":                                             ListObjects_max_keys_0,
-		"ListObjects_delimiter":                                              ListObjects_delimiter,
-		"ListObjects_max_keys_none":                                          ListObjects_max_keys_none,
-		"ListObjects_marker_not_from_obj_list":                               ListObjects_marker_not_from_obj_list,
-		"ListObjectsV2_start_after":                                          ListObjectsV2_start_after,
-		"ListObjectsV2_both_start_after_and_continuation_token":              ListObjectsV2_both_start_after_and_continuation_token,
-		"ListObjectsV2_start_after_not_in_list":                              ListObjectsV2_start_after_not_in_list,
-		"ListObjectsV2_start_after_empty_result":                             ListObjectsV2_start_after_empty_result,
-		"DeleteObject_non_existing_object":                                   DeleteObject_non_existing_object,
-		"DeleteObject_success":                                               DeleteObject_success,
-		"DeleteObject_success_status_code":                                   DeleteObject_success_status_code,
-		"DeleteObjects_empty_input":                                          DeleteObjects_empty_input,
-		"DeleteObjects_non_existing_objects":                                 DeleteObjects_non_existing_objects,
-		"DeleteObjects_success":                                              DeleteObjects_success,
-		"CopyObject_non_existing_dst_bucket":                                 CopyObject_non_existing_dst_bucket,
-		"CopyObject_not_owned_source_bucket":                                 CopyObject_not_owned_source_bucket,
-		"CopyObject_copy_to_itself":                                          CopyObject_copy_to_itself,
-		"CopyObject_to_itself_with_new_metadata":                             CopyObject_to_itself_with_new_metadata,
-		"CopyObject_success":                                                 CopyObject_success,
-		"PutObjectTagging_non_existing_object":                               PutObjectTagging_non_existing_object,
-		"PutObjectTagging_long_tags":                                         PutObjectTagging_long_tags,
-		"PutObjectTagging_success":                                           PutObjectTagging_success,
-		"GetObjectTagging_non_existing_object":                               GetObjectTagging_non_existing_object,
-		"GetObjectTagging_unset_tags":                                        GetObjectTagging_unset_tags,
-		"GetObjectTagging_success":                                           GetObjectTagging_success,
-		"DeleteObjectTagging_non_existing_object":                            DeleteObjectTagging_non_existing_object,
-		"DeleteObjectTagging_success_status":                                 DeleteObjectTagging_success_status,
-		"DeleteObjectTagging_success":                                        DeleteObjectTagging_success,
-		"CreateMultipartUpload_non_existing_bucket":                          CreateMultipartUpload_non_existing_bucket,
-		"CreateMultipartUpload_success":                                      CreateMultipartUpload_success,
-		"UploadPart_non_existing_bucket":                                     UploadPart_non_existing_bucket,
-		"UploadPart_invalid_part_number":                                     UploadPart_invalid_part_number,
-		"UploadPart_non_existing_key":                                        UploadPart_non_existing_key,
-		"UploadPart_non_existing_mp_upload":                                  UploadPart_non_existing_mp_upload,
-		"UploadPart_success":                                                 UploadPart_success,
-		"UploadPartCopy_non_existing_bucket":                                 UploadPartCopy_non_existing_bucket,
-		"UploadPartCopy_incorrect_uploadId":                                  UploadPartCopy_incorrect_uploadId,
-		"UploadPartCopy_incorrect_object_key":                                UploadPartCopy_incorrect_object_key,
-		"UploadPartCopy_invalid_part_number":                                 UploadPartCopy_invalid_part_number,
-		"UploadPartCopy_invalid_copy_source":                                 UploadPartCopy_invalid_copy_source,
-		"UploadPartCopy_non_existing_source_bucket":                          UploadPartCopy_non_existing_source_bucket,
-		"UploadPartCopy_non_existing_source_object_key":                      UploadPartCopy_non_existing_source_object_key,
-		"UploadPartCopy_success":                                             UploadPartCopy_success,
-		"UploadPartCopy_by_range_invalid_range":                              UploadPartCopy_by_range_invalid_range,
-		"UploadPartCopy_greater_range_than_obj_size":                         UploadPartCopy_greater_range_than_obj_size,
-		"UploadPartCopy_by_range_success":                                    UploadPartCopy_by_range_success,
-		"ListParts_incorrect_uploadId":                                       ListParts_incorrect_uploadId,
-		"ListParts_incorrect_object_key":                                     ListParts_incorrect_object_key,
-		"ListParts_success":                                                  ListParts_success,
-		"ListMultipartUploads_non_existing_bucket":                           ListMultipartUploads_non_existing_bucket,
-		"ListMultipartUploads_empty_result":                                  ListMultipartUploads_empty_result,
-		"ListMultipartUploads_invalid_max_uploads":                           ListMultipartUploads_invalid_max_uploads,
-		"ListMultipartUploads_max_uploads":                                   ListMultipartUploads_max_uploads,
-		"ListMultipartUploads_incorrect_next_key_marker":                     ListMultipartUploads_incorrect_next_key_marker,
-		"ListMultipartUploads_ignore_upload_id_marker":                       ListMultipartUploads_ignore_upload_id_marker,
-		"ListMultipartUploads_success":                                       ListMultipartUploads_success,
-		"AbortMultipartUpload_non_existing_bucket":                           AbortMultipartUpload_non_existing_bucket,
-		"AbortMultipartUpload_incorrect_uploadId":                            AbortMultipartUpload_incorrect_uploadId,
-		"AbortMultipartUpload_incorrect_object_key":                          AbortMultipartUpload_incorrect_object_key,
-		"AbortMultipartUpload_success":                                       AbortMultipartUpload_success,
-		"AbortMultipartUpload_success_status_code":                           AbortMultipartUpload_success_status_code,
-		"CompletedMultipartUpload_non_existing_bucket":                       CompletedMultipartUpload_non_existing_bucket,
-		"CompleteMultipartUpload_invalid_part_number":                        CompleteMultipartUpload_invalid_part_number,
-		"CompleteMultipartUpload_invalid_ETag":                               CompleteMultipartUpload_invalid_ETag,
-		"CompleteMultipartUpload_success":                                    CompleteMultipartUpload_success,
-		"PutBucketAcl_non_existing_bucket":                                   PutBucketAcl_non_existing_bucket,
-		"PutBucketAcl_invalid_acl_canned_and_acp":                            PutBucketAcl_invalid_acl_canned_and_acp,
-		"PutBucketAcl_invalid_acl_canned_and_grants":                         PutBucketAcl_invalid_acl_canned_and_grants,
-		"PutBucketAcl_invalid_acl_acp_and_grants":                            PutBucketAcl_invalid_acl_acp_and_grants,
-		"PutBucketAcl_invalid_owner":                                         PutBucketAcl_invalid_owner,
-		"PutBucketAcl_success_access_denied":                                 PutBucketAcl_success_access_denied,
-		"PutBucketAcl_success_grants":                                        PutBucketAcl_success_grants,
-		"PutBucketAcl_success_canned_acl":                                    PutBucketAcl_success_canned_acl,
-		"PutBucketAcl_success_acp":                                           PutBucketAcl_success_acp,
-		"GetBucketAcl_non_existing_bucket":                                   GetBucketAcl_non_existing_bucket,
-		"GetBucketAcl_access_denied":                                         GetBucketAcl_access_denied,
-		"GetBucketAcl_success":                                               GetBucketAcl_success,
-		"PutBucketPolicy_non_existing_bucket":                                PutBucketPolicy_non_existing_bucket,
-		"PutBucketPolicy_invalid_effect":                                     PutBucketPolicy_invalid_effect,
-		"PutBucketPolicy_empty_actions_string":                               PutBucketPolicy_empty_actions_string,
-		"PutBucketPolicy_empty_actions_array":                                PutBucketPolicy_empty_actions_array,
-		"PutBucketPolicy_invalid_action":                                     PutBucketPolicy_invalid_action,
-		"PutBucketPolicy_unsupported_action":                                 PutBucketPolicy_unsupported_action,
-		"PutBucketPolicy_incorrect_action_wildcard_usage":                    PutBucketPolicy_incorrect_action_wildcard_usage,
-		"PutBucketPolicy_empty_principals_string":                            PutBucketPolicy_empty_principals_string,
-		"PutBucketPolicy_empty_principals_array":                             PutBucketPolicy_empty_principals_array,
-		"PutBucketPolicy_principals_incorrect_wildcard_usage":                PutBucketPolicy_principals_incorrect_wildcard_usage,
-		"PutBucketPolicy_non_existing_principals":                            PutBucketPolicy_non_existing_principals,
-		"PutBucketPolicy_empty_resources_string":                             PutBucketPolicy_empty_resources_string,
-		"PutBucketPolicy_empty_resources_array":                              PutBucketPolicy_empty_resources_array,
-		"PutBucketPolicy_invalid_resource_prefix":                            PutBucketPolicy_invalid_resource_prefix,
-		"PutBucketPolicy_invalid_resource_with_starting_slash":               PutBucketPolicy_invalid_resource_with_starting_slash,
-		"PutBucketPolicy_duplicate_resource":                                 PutBucketPolicy_duplicate_resource,
-		"PutBucketPolicy_incorrect_bucket_name":                              PutBucketPolicy_incorrect_bucket_name,
-		"PutBucketPolicy_object_action_on_bucket_resource":                   PutBucketPolicy_object_action_on_bucket_resource,
-		"PutBucketPolicy_bucket_action_on_object_resource":                   PutBucketPolicy_bucket_action_on_object_resource,
-		"PutBucketPolicy_success":                                            PutBucketPolicy_success,
-		"GetBucketPolicy_non_existing_bucket":                                GetBucketPolicy_non_existing_bucket,
-		"GetBucketPolicy_not_set":                                            GetBucketPolicy_not_set,
-		"GetBucketPolicy_success":                                            GetBucketPolicy_success,
-		"DeleteBucketPolicy_non_existing_bucket":                             DeleteBucketPolicy_non_existing_bucket,
-		"DeleteBucketPolicy_remove_before_setting":                           DeleteBucketPolicy_remove_before_setting,
-		"DeleteBucketPolicy_success":                                         DeleteBucketPolicy_success,
-		"PutObjectLockConfiguration_non_existing_bucket":                     PutObjectLockConfiguration_non_existing_bucket,
-		"PutObjectLockConfiguration_empty_config":                            PutObjectLockConfiguration_empty_config,
-		"PutObjectLockConfiguration_both_years_and_days":                     PutObjectLockConfiguration_both_years_and_days,
-		"PutObjectLockConfiguration_success":                                 PutObjectLockConfiguration_success,
-		"GetObjectLockConfiguration_non_existing_bucket":                     GetObjectLockConfiguration_non_existing_bucket,
-		"GetObjectLockConfiguration_unset_config":                            GetObjectLockConfiguration_unset_config,
-		"GetObjectLockConfiguration_success":                                 GetObjectLockConfiguration_success,
-		"PutObjectRetention_non_existing_bucket":                             PutObjectRetention_non_existing_bucket,
-		"PutObjectRetention_non_existing_object":                             PutObjectRetention_non_existing_object,
-		"PutObjectRetention_unset_bucket_object_lock_config":                 PutObjectRetention_unset_bucket_object_lock_config,
-		"PutObjectRetention_disabled_bucket_object_lock_config":              PutObjectRetention_disabled_bucket_object_lock_config,
-		"PutObjectRetention_expired_retain_until_date":                       PutObjectRetention_expired_retain_until_date,
-		"PutObjectRetention_success":                                         PutObjectRetention_success,
-		"GetObjectRetention_non_existing_bucket":                             GetObjectRetention_non_existing_bucket,
-		"GetObjectRetention_non_existing_object":                             GetObjectRetention_non_existing_object,
-		"GetObjectRetention_unset_config":                                    GetObjectRetention_unset_config,
-		"GetObjectRetention_success":                                         GetObjectRetention_success,
-		"PutObjectLegalHold_non_existing_bucket":                             PutObjectLegalHold_non_existing_bucket,
-		"PutObjectLegalHold_non_existing_object":                             PutObjectLegalHold_non_existing_object,
-		"PutObjectLegalHold_invalid_body":                                    PutObjectLegalHold_invalid_body,
-		"PutObjectLegalHold_unset_bucket_object_lock_config":                 PutObjectLegalHold_unset_bucket_object_lock_config,
-		"PutObjectLegalHold_disabled_bucket_object_lock_config":              PutObjectLegalHold_disabled_bucket_object_lock_config,
-		"PutObjectLegalHold_success":                                         PutObjectLegalHold_success,
-		"GetObjectLegalHold_non_existing_bucket":                             GetObjectLegalHold_non_existing_bucket,
-		"GetObjectLegalHold_non_existing_object":                             GetObjectLegalHold_non_existing_object,
-		"GetObjectLegalHold_unset_config":                                    GetObjectLegalHold_unset_config,
-		"GetObjectLegalHold_success":                                         GetObjectLegalHold_success,
-		"WORMProtection_bucket_object_lock_configuration_compliance_mode":    WORMProtection_bucket_object_lock_configuration_compliance_mode,
-		"WORMProtection_bucket_object_lock_governance_root_overwrite":        WORMProtection_bucket_object_lock_governance_root_overwrite,
-		"WORMProtection_object_lock_retention_compliance_root_access_denied": WORMProtection_object_lock_retention_compliance_root_access_denied,
-		"WORMProtection_object_lock_retention_governance_root_overwrite":     WORMProtection_object_lock_retention_governance_root_overwrite,
-		"WORMProtection_object_lock_retention_governance_user_access_denied": WORMProtection_object_lock_retention_governance_user_access_denied,
-		"WORMProtection_object_lock_legal_hold_user_access_denied":           WORMProtection_object_lock_legal_hold_user_access_denied,
-		"WORMProtection_object_lock_legal_hold_root_overwrite":               WORMProtection_object_lock_legal_hold_root_overwrite,
-		"PutObject_overwrite_dir_obj":                                        PutObject_overwrite_dir_obj,
-		"PutObject_overwrite_file_obj":                                       PutObject_overwrite_file_obj,
-		"PutObject_dir_obj_with_data":                                        PutObject_dir_obj_with_data,
-		"CreateMultipartUpload_dir_obj":                                      CreateMultipartUpload_dir_obj,
-		"IAM_user_access_denied":                                             IAM_user_access_denied,
-		"IAM_userplus_access_denied":                                         IAM_userplus_access_denied,
-		"IAM_userplus_CreateBucket":                                          IAM_userplus_CreateBucket,
-		"IAM_admin_ChangeBucketOwner":                                        IAM_admin_ChangeBucketOwner,
+		"Authentication_empty_auth_header":                                    Authentication_empty_auth_header,
+		"Authentication_invalid_auth_header":                                  Authentication_invalid_auth_header,
+		"Authentication_unsupported_signature_version":                        Authentication_unsupported_signature_version,
+		"Authentication_malformed_credentials":                                Authentication_malformed_credentials,
+		"Authentication_malformed_credentials_invalid_parts":                  Authentication_malformed_credentials_invalid_parts,
+		"Authentication_credentials_terminated_string":                        Authentication_credentials_terminated_string,
+		"Authentication_credentials_incorrect_service":                        Authentication_credentials_incorrect_service,
+		"Authentication_credentials_incorrect_region":                         Authentication_credentials_incorrect_region,
+		"Authentication_credentials_invalid_date":                             Authentication_credentials_invalid_date,
+		"Authentication_credentials_future_date":                              Authentication_credentials_future_date,
+		"Authentication_credentials_past_date":                                Authentication_credentials_past_date,
+		"Authentication_credentials_non_existing_access_key":                  Authentication_credentials_non_existing_access_key,
+		"Authentication_invalid_signed_headers":                               Authentication_invalid_signed_headers,
+		"Authentication_missing_date_header":                                  Authentication_missing_date_header,
+		"Authentication_invalid_date_header":                                  Authentication_invalid_date_header,
+		"Authentication_date_mismatch":                                        Authentication_date_mismatch,
+		"Authentication_incorrect_payload_hash":                               Authentication_incorrect_payload_hash,
+		"Authentication_incorrect_md5":                                        Authentication_incorrect_md5,
+		"Authentication_signature_error_incorrect_secret_key":                 Authentication_signature_error_incorrect_secret_key,
+		"PresignedAuth_missing_algo_query_param":                              PresignedAuth_missing_algo_query_param,
+		"PresignedAuth_unsupported_algorithm":                                 PresignedAuth_unsupported_algorithm,
+		"PresignedAuth_missing_credentials_query_param":                       PresignedAuth_missing_credentials_query_param,
+		"PresignedAuth_malformed_creds_invalid_parts":                         PresignedAuth_malformed_creds_invalid_parts,
+		"PresignedAuth_creds_invalid_terminator":                              PresignedAuth_creds_invalid_terminator,
+		"PresignedAuth_creds_incorrect_service":                               PresignedAuth_creds_incorrect_service,
+		"PresignedAuth_creds_incorrect_region":                                PresignedAuth_creds_incorrect_region,
+		"PresignedAuth_creds_invalid_date":                                    PresignedAuth_creds_invalid_date,
+		"PresignedAuth_missing_date_query":                                    PresignedAuth_missing_date_query,
+		"PresignedAuth_dates_mismatch":                                        PresignedAuth_dates_mismatch,
+		"PresignedAuth_non_existing_access_key_id":                            PresignedAuth_non_existing_access_key_id,
+		"PresignedAuth_missing_signed_headers_query_param":                    PresignedAuth_missing_signed_headers_query_param,
+		"PresignedAuth_missing_expiration_query_param":                        PresignedAuth_missing_expiration_query_param,
+		"PresignedAuth_invalid_expiration_query_param":                        PresignedAuth_invalid_expiration_query_param,
+		"PresignedAuth_negative_expiration_query_param":                       PresignedAuth_negative_expiration_query_param,
+		"PresignedAuth_exceeding_expiration_query_param":                      PresignedAuth_exceeding_expiration_query_param,
+		"PresignedAuth_expired_request":                                       PresignedAuth_expired_request,
+		"PresignedAuth_incorrect_secret_key":                                  PresignedAuth_incorrect_secret_key,
+		"PresignedAuth_PutObject_success":                                     PresignedAuth_PutObject_success,
+		"PutObject_missing_object_lock_retention_config":                      PutObject_missing_object_lock_retention_config,
+		"PutObject_with_object_lock":                                          PutObject_with_object_lock,
+		"PresignedAuth_Put_GetObject_with_data":                               PresignedAuth_Put_GetObject_with_data,
+		"PresignedAuth_Put_GetObject_with_UTF8_chars":                         PresignedAuth_Put_GetObject_with_UTF8_chars,
+		"PresignedAuth_UploadPart":                                            PresignedAuth_UploadPart,
+		"CreateBucket_invalid_bucket_name":                                    CreateBucket_invalid_bucket_name,
+		"CreateBucket_existing_bucket":                                        CreateBucket_existing_bucket,
+		"CreateBucket_owned_by_you":                                           CreateBucket_owned_by_you,
+		"CreateBucket_as_user":                                                CreateBucket_as_user,
+		"CreateDeleteBucket_success":                                          CreateDeleteBucket_success,
+		"CreateBucket_default_acl":                                            CreateBucket_default_acl,
+		"CreateBucket_non_default_acl":                                        CreateBucket_non_default_acl,
+		"CreateBucket_default_object_lock":                                    CreateBucket_default_object_lock,
+		"HeadBucket_non_existing_bucket":                                      HeadBucket_non_existing_bucket,
+		"HeadBucket_success":                                                  HeadBucket_success,
+		"ListBuckets_as_user":                                                 ListBuckets_as_user,
+		"ListBuckets_as_admin":                                                ListBuckets_as_admin,
+		"ListBuckets_success":                                                 ListBuckets_success,
+		"DeleteBucket_non_existing_bucket":                                    DeleteBucket_non_existing_bucket,
+		"DeleteBucket_non_empty_bucket":                                       DeleteBucket_non_empty_bucket,
+		"DeleteBucket_success_status_code":                                    DeleteBucket_success_status_code,
+		"PutBucketTagging_non_existing_bucket":                                PutBucketTagging_non_existing_bucket,
+		"PutBucketTagging_long_tags":                                          PutBucketTagging_long_tags,
+		"PutBucketTagging_success":                                            PutBucketTagging_success,
+		"GetBucketTagging_non_existing_bucket":                                GetBucketTagging_non_existing_bucket,
+		"GetBucketTagging_unset_tags":                                         GetBucketTagging_unset_tags,
+		"GetBucketTagging_success":                                            GetBucketTagging_success,
+		"DeleteBucketTagging_non_existing_object":                             DeleteBucketTagging_non_existing_object,
+		"DeleteBucketTagging_success_status":                                  DeleteBucketTagging_success_status,
+		"DeleteBucketTagging_success":                                         DeleteBucketTagging_success,
+		"PutObject_non_existing_bucket":                                       PutObject_non_existing_bucket,
+		"PutObject_special_chars":                                             PutObject_special_chars,
+		"PutObject_invalid_long_tags":                                         PutObject_invalid_long_tags,
+		"PutObject_success":                                                   PutObject_success,
+		"HeadObject_non_existing_object":                                      HeadObject_non_existing_object,
+		"HeadObject_invalid_part_number":                                      HeadObject_invalid_part_number,
+		"HeadObject_non_existing_mp":                                          HeadObject_non_existing_mp,
+		"HeadObject_mp_success":                                               HeadObject_mp_success,
+		"HeadObject_success":                                                  HeadObject_success,
+		"GetObjectAttributes_non_existing_bucket":                             GetObjectAttributes_non_existing_bucket,
+		"GetObjectAttributes_non_existing_object":                             GetObjectAttributes_non_existing_object,
+		"GetObjectAttributes_existing_object":                                 GetObjectAttributes_existing_object,
+		"GetObjectAttributes_multipart_upload":                                GetObjectAttributes_multipart_upload,
+		"GetObjectAttributes_multipart_upload_truncated":                      GetObjectAttributes_multipart_upload_truncated,
+		"GetObject_non_existing_key":                                          GetObject_non_existing_key,
+		"GetObject_invalid_ranges":                                            GetObject_invalid_ranges,
+		"GetObject_with_meta":                                                 GetObject_with_meta,
+		"GetObject_success":                                                   GetObject_success,
+		"GetObject_by_range_success":                                          GetObject_by_range_success,
+		"GetObject_by_range_resp_status":                                      GetObject_by_range_resp_status,
+		"ListObjects_non_existing_bucket":                                     ListObjects_non_existing_bucket,
+		"ListObjects_with_prefix":                                             ListObjects_with_prefix,
+		"ListObject_truncated":                                                ListObject_truncated,
+		"ListObjects_invalid_max_keys":                                        ListObjects_invalid_max_keys,
+		"ListObjects_max_keys_0":                                              ListObjects_max_keys_0,
+		"ListObjects_delimiter":                                               ListObjects_delimiter,
+		"ListObjects_max_keys_none":                                           ListObjects_max_keys_none,
+		"ListObjects_marker_not_from_obj_list":                                ListObjects_marker_not_from_obj_list,
+		"ListObjectsV2_start_after":                                           ListObjectsV2_start_after,
+		"ListObjectsV2_both_start_after_and_continuation_token":               ListObjectsV2_both_start_after_and_continuation_token,
+		"ListObjectsV2_start_after_not_in_list":                               ListObjectsV2_start_after_not_in_list,
+		"ListObjectsV2_start_after_empty_result":                              ListObjectsV2_start_after_empty_result,
+		"DeleteObject_non_existing_object":                                    DeleteObject_non_existing_object,
+		"DeleteObject_success":                                                DeleteObject_success,
+		"DeleteObject_success_status_code":                                    DeleteObject_success_status_code,
+		"DeleteObjects_empty_input":                                           DeleteObjects_empty_input,
+		"DeleteObjects_non_existing_objects":                                  DeleteObjects_non_existing_objects,
+		"DeleteObjects_success":                                               DeleteObjects_success,
+		"CopyObject_non_existing_dst_bucket":                                  CopyObject_non_existing_dst_bucket,
+		"CopyObject_not_owned_source_bucket":                                  CopyObject_not_owned_source_bucket,
+		"CopyObject_copy_to_itself":                                           CopyObject_copy_to_itself,
+		"CopyObject_to_itself_with_new_metadata":                              CopyObject_to_itself_with_new_metadata,
+		"CopyObject_success":                                                  CopyObject_success,
+		"PutObjectTagging_non_existing_object":                                PutObjectTagging_non_existing_object,
+		"PutObjectTagging_long_tags":                                          PutObjectTagging_long_tags,
+		"PutObjectTagging_success":                                            PutObjectTagging_success,
+		"GetObjectTagging_non_existing_object":                                GetObjectTagging_non_existing_object,
+		"GetObjectTagging_unset_tags":                                         GetObjectTagging_unset_tags,
+		"GetObjectTagging_success":                                            GetObjectTagging_success,
+		"DeleteObjectTagging_non_existing_object":                             DeleteObjectTagging_non_existing_object,
+		"DeleteObjectTagging_success_status":                                  DeleteObjectTagging_success_status,
+		"DeleteObjectTagging_success":                                         DeleteObjectTagging_success,
+		"CreateMultipartUpload_non_existing_bucket":                           CreateMultipartUpload_non_existing_bucket,
+		"CreateMultipartUpload_with_metadata":                                 CreateMultipartUpload_with_metadata,
+		"CreateMultipartUpload_with_invalid_tagging":                          CreateMultipartUpload_with_invalid_tagging,
+		"CreateMultipartUpload_with_tagging":                                  CreateMultipartUpload_with_tagging,
+		"CreateMultipartUpload_with_content_type":                             CreateMultipartUpload_with_content_type,
+		"CreateMultipartUpload_with_object_lock":                              CreateMultipartUpload_with_object_lock,
+		"CreateMultipartUpload_with_object_lock_not_enabled":                  CreateMultipartUpload_with_object_lock_not_enabled,
+		"CreateMultipartUpload_with_object_lock_invalid_retention":            CreateMultipartUpload_with_object_lock_invalid_retention,
+		"CreateMultipartUpload_past_retain_until_date":                        CreateMultipartUpload_past_retain_until_date,
+		"CreateMultipartUpload_success":                                       CreateMultipartUpload_success,
+		"UploadPart_non_existing_bucket":                                      UploadPart_non_existing_bucket,
+		"UploadPart_invalid_part_number":                                      UploadPart_invalid_part_number,
+		"UploadPart_non_existing_key":                                         UploadPart_non_existing_key,
+		"UploadPart_non_existing_mp_upload":                                   UploadPart_non_existing_mp_upload,
+		"UploadPart_success":                                                  UploadPart_success,
+		"UploadPartCopy_non_existing_bucket":                                  UploadPartCopy_non_existing_bucket,
+		"UploadPartCopy_incorrect_uploadId":                                   UploadPartCopy_incorrect_uploadId,
+		"UploadPartCopy_incorrect_object_key":                                 UploadPartCopy_incorrect_object_key,
+		"UploadPartCopy_invalid_part_number":                                  UploadPartCopy_invalid_part_number,
+		"UploadPartCopy_invalid_copy_source":                                  UploadPartCopy_invalid_copy_source,
+		"UploadPartCopy_non_existing_source_bucket":                           UploadPartCopy_non_existing_source_bucket,
+		"UploadPartCopy_non_existing_source_object_key":                       UploadPartCopy_non_existing_source_object_key,
+		"UploadPartCopy_success":                                              UploadPartCopy_success,
+		"UploadPartCopy_by_range_invalid_range":                               UploadPartCopy_by_range_invalid_range,
+		"UploadPartCopy_greater_range_than_obj_size":                          UploadPartCopy_greater_range_than_obj_size,
+		"UploadPartCopy_by_range_success":                                     UploadPartCopy_by_range_success,
+		"ListParts_incorrect_uploadId":                                        ListParts_incorrect_uploadId,
+		"ListParts_incorrect_object_key":                                      ListParts_incorrect_object_key,
+		"ListParts_success":                                                   ListParts_success,
+		"ListMultipartUploads_non_existing_bucket":                            ListMultipartUploads_non_existing_bucket,
+		"ListMultipartUploads_empty_result":                                   ListMultipartUploads_empty_result,
+		"ListMultipartUploads_invalid_max_uploads":                            ListMultipartUploads_invalid_max_uploads,
+		"ListMultipartUploads_max_uploads":                                    ListMultipartUploads_max_uploads,
+		"ListMultipartUploads_incorrect_next_key_marker":                      ListMultipartUploads_incorrect_next_key_marker,
+		"ListMultipartUploads_ignore_upload_id_marker":                        ListMultipartUploads_ignore_upload_id_marker,
+		"ListMultipartUploads_success":                                        ListMultipartUploads_success,
+		"AbortMultipartUpload_non_existing_bucket":                            AbortMultipartUpload_non_existing_bucket,
+		"AbortMultipartUpload_incorrect_uploadId":                             AbortMultipartUpload_incorrect_uploadId,
+		"AbortMultipartUpload_incorrect_object_key":                           AbortMultipartUpload_incorrect_object_key,
+		"AbortMultipartUpload_success":                                        AbortMultipartUpload_success,
+		"AbortMultipartUpload_success_status_code":                            AbortMultipartUpload_success_status_code,
+		"CompletedMultipartUpload_non_existing_bucket":                        CompletedMultipartUpload_non_existing_bucket,
+		"CompleteMultipartUpload_invalid_part_number":                         CompleteMultipartUpload_invalid_part_number,
+		"CompleteMultipartUpload_invalid_ETag":                                CompleteMultipartUpload_invalid_ETag,
+		"CompleteMultipartUpload_success":                                     CompleteMultipartUpload_success,
+		"PutBucketAcl_non_existing_bucket":                                    PutBucketAcl_non_existing_bucket,
+		"PutBucketAcl_invalid_acl_canned_and_acp":                             PutBucketAcl_invalid_acl_canned_and_acp,
+		"PutBucketAcl_invalid_acl_canned_and_grants":                          PutBucketAcl_invalid_acl_canned_and_grants,
+		"PutBucketAcl_invalid_acl_acp_and_grants":                             PutBucketAcl_invalid_acl_acp_and_grants,
+		"PutBucketAcl_invalid_owner":                                          PutBucketAcl_invalid_owner,
+		"PutBucketAcl_invalid_owner_not_in_body":                              PutBucketAcl_invalid_owner_not_in_body,
+		"PutBucketAcl_success_access_denied":                                  PutBucketAcl_success_access_denied,
+		"PutBucketAcl_success_grants":                                         PutBucketAcl_success_grants,
+		"PutBucketAcl_success_canned_acl":                                     PutBucketAcl_success_canned_acl,
+		"PutBucketAcl_success_acp":                                            PutBucketAcl_success_acp,
+		"GetBucketAcl_non_existing_bucket":                                    GetBucketAcl_non_existing_bucket,
+		"GetBucketAcl_access_denied":                                          GetBucketAcl_access_denied,
+		"GetBucketAcl_success":                                                GetBucketAcl_success,
+		"PutBucketPolicy_non_existing_bucket":                                 PutBucketPolicy_non_existing_bucket,
+		"PutBucketPolicy_invalid_effect":                                      PutBucketPolicy_invalid_effect,
+		"PutBucketPolicy_empty_actions_string":                                PutBucketPolicy_empty_actions_string,
+		"PutBucketPolicy_empty_actions_array":                                 PutBucketPolicy_empty_actions_array,
+		"PutBucketPolicy_invalid_action":                                      PutBucketPolicy_invalid_action,
+		"PutBucketPolicy_unsupported_action":                                  PutBucketPolicy_unsupported_action,
+		"PutBucketPolicy_incorrect_action_wildcard_usage":                     PutBucketPolicy_incorrect_action_wildcard_usage,
+		"PutBucketPolicy_empty_principals_string":                             PutBucketPolicy_empty_principals_string,
+		"PutBucketPolicy_empty_principals_array":                              PutBucketPolicy_empty_principals_array,
+		"PutBucketPolicy_principals_aws_struct_empty_string":                  PutBucketPolicy_principals_aws_struct_empty_string,
+		"PutBucketPolicy_principals_aws_struct_empty_string_slice":            PutBucketPolicy_principals_aws_struct_empty_string_slice,
+		"PutBucketPolicy_principals_incorrect_wildcard_usage":                 PutBucketPolicy_principals_incorrect_wildcard_usage,
+		"PutBucketPolicy_non_existing_principals":                             PutBucketPolicy_non_existing_principals,
+		"PutBucketPolicy_empty_resources_string":                              PutBucketPolicy_empty_resources_string,
+		"PutBucketPolicy_empty_resources_array":                               PutBucketPolicy_empty_resources_array,
+		"PutBucketPolicy_invalid_resource_prefix":                             PutBucketPolicy_invalid_resource_prefix,
+		"PutBucketPolicy_invalid_resource_with_starting_slash":                PutBucketPolicy_invalid_resource_with_starting_slash,
+		"PutBucketPolicy_duplicate_resource":                                  PutBucketPolicy_duplicate_resource,
+		"PutBucketPolicy_incorrect_bucket_name":                               PutBucketPolicy_incorrect_bucket_name,
+		"PutBucketPolicy_object_action_on_bucket_resource":                    PutBucketPolicy_object_action_on_bucket_resource,
+		"PutBucketPolicy_bucket_action_on_object_resource":                    PutBucketPolicy_bucket_action_on_object_resource,
+		"PutBucketPolicy_success":                                             PutBucketPolicy_success,
+		"GetBucketPolicy_non_existing_bucket":                                 GetBucketPolicy_non_existing_bucket,
+		"GetBucketPolicy_not_set":                                             GetBucketPolicy_not_set,
+		"GetBucketPolicy_success":                                             GetBucketPolicy_success,
+		"DeleteBucketPolicy_non_existing_bucket":                              DeleteBucketPolicy_non_existing_bucket,
+		"DeleteBucketPolicy_remove_before_setting":                            DeleteBucketPolicy_remove_before_setting,
+		"DeleteBucketPolicy_success":                                          DeleteBucketPolicy_success,
+		"PutObjectLockConfiguration_non_existing_bucket":                      PutObjectLockConfiguration_non_existing_bucket,
+		"PutObjectLockConfiguration_empty_config":                             PutObjectLockConfiguration_empty_config,
+		"PutObjectLockConfiguration_not_enabled_on_bucket_creation":           PutObjectLockConfiguration_not_enabled_on_bucket_creation,
+		"PutObjectLockConfiguration_invalid_status":                           PutObjectLockConfiguration_invalid_status,
+		"PutObjectLockConfiguration_invalid_mode":                             PutObjectLockConfiguration_invalid_mode,
+		"PutObjectLockConfiguration_both_years_and_days":                      PutObjectLockConfiguration_both_years_and_days,
+		"PutObjectLockConfiguration_invalid_years_days":                       PutObjectLockConfiguration_invalid_years_days,
+		"PutObjectLockConfiguration_success":                                  PutObjectLockConfiguration_success,
+		"GetObjectLockConfiguration_non_existing_bucket":                      GetObjectLockConfiguration_non_existing_bucket,
+		"GetObjectLockConfiguration_unset_config":                             GetObjectLockConfiguration_unset_config,
+		"GetObjectLockConfiguration_success":                                  GetObjectLockConfiguration_success,
+		"PutObjectRetention_non_existing_bucket":                              PutObjectRetention_non_existing_bucket,
+		"PutObjectRetention_non_existing_object":                              PutObjectRetention_non_existing_object,
+		"PutObjectRetention_unset_bucket_object_lock_config":                  PutObjectRetention_unset_bucket_object_lock_config,
+		"PutObjectRetention_disabled_bucket_object_lock_config":               PutObjectRetention_disabled_bucket_object_lock_config,
+		"PutObjectRetention_expired_retain_until_date":                        PutObjectRetention_expired_retain_until_date,
+		"PutObjectRetention_invalid_mode":                                     PutObjectRetention_invalid_mode,
+		"PutObjectRetention_overwrite_compliance_mode":                        PutObjectRetention_overwrite_compliance_mode,
+		"PutObjectRetention_overwrite_governance_without_bypass_specified":    PutObjectRetention_overwrite_governance_without_bypass_specified,
+		"PutObjectRetention_overwrite_governance_with_permission":             PutObjectRetention_overwrite_governance_with_permission,
+		"PutObjectRetention_success":                                          PutObjectRetention_success,
+		"GetObjectRetention_non_existing_bucket":                              GetObjectRetention_non_existing_bucket,
+		"GetObjectRetention_non_existing_object":                              GetObjectRetention_non_existing_object,
+		"GetObjectRetention_unset_config":                                     GetObjectRetention_unset_config,
+		"GetObjectRetention_success":                                          GetObjectRetention_success,
+		"PutObjectLegalHold_non_existing_bucket":                              PutObjectLegalHold_non_existing_bucket,
+		"PutObjectLegalHold_non_existing_object":                              PutObjectLegalHold_non_existing_object,
+		"PutObjectLegalHold_invalid_body":                                     PutObjectLegalHold_invalid_body,
+		"PutObjectLegalHold_invalid_status":                                   PutObjectLegalHold_invalid_status,
+		"PutObjectLegalHold_unset_bucket_object_lock_config":                  PutObjectLegalHold_unset_bucket_object_lock_config,
+		"PutObjectLegalHold_disabled_bucket_object_lock_config":               PutObjectLegalHold_disabled_bucket_object_lock_config,
+		"PutObjectLegalHold_success":                                          PutObjectLegalHold_success,
+		"GetObjectLegalHold_non_existing_bucket":                              GetObjectLegalHold_non_existing_bucket,
+		"GetObjectLegalHold_non_existing_object":                              GetObjectLegalHold_non_existing_object,
+		"GetObjectLegalHold_unset_config":                                     GetObjectLegalHold_unset_config,
+		"GetObjectLegalHold_success":                                          GetObjectLegalHold_success,
+		"WORMProtection_bucket_object_lock_configuration_compliance_mode":     WORMProtection_bucket_object_lock_configuration_compliance_mode,
+		"WORMProtection_bucket_object_lock_configuration_governance_mode":     WORMProtection_bucket_object_lock_configuration_governance_mode,
+		"WORMProtection_bucket_object_lock_governance_bypass_delete":          WORMProtection_bucket_object_lock_governance_bypass_delete,
+		"WORMProtection_bucket_object_lock_governance_bypass_delete_multiple": WORMProtection_bucket_object_lock_governance_bypass_delete_multiple,
+		"WORMProtection_object_lock_retention_compliance_locked":              WORMProtection_object_lock_retention_compliance_locked,
+		"WORMProtection_object_lock_retention_governance_locked":              WORMProtection_object_lock_retention_governance_locked,
+		"WORMProtection_object_lock_retention_governance_bypass_overwrite":    WORMProtection_object_lock_retention_governance_bypass_overwrite,
+		"WORMProtection_object_lock_retention_governance_bypass_delete":       WORMProtection_object_lock_retention_governance_bypass_delete,
+		"WORMProtection_object_lock_retention_governance_bypass_delete_mul":   WORMProtection_object_lock_retention_governance_bypass_delete_mul,
+		"WORMProtection_object_lock_legal_hold_locked":                        WORMProtection_object_lock_legal_hold_locked,
+		"PutObject_overwrite_dir_obj":                                         PutObject_overwrite_dir_obj,
+		"PutObject_overwrite_file_obj":                                        PutObject_overwrite_file_obj,
+		"PutObject_dir_obj_with_data":                                         PutObject_dir_obj_with_data,
+		"CreateMultipartUpload_dir_obj":                                       CreateMultipartUpload_dir_obj,
+		"IAM_user_access_denied":                                              IAM_user_access_denied,
+		"IAM_userplus_access_denied":                                          IAM_userplus_access_denied,
+		"IAM_userplus_CreateBucket":                                           IAM_userplus_CreateBucket,
+		"IAM_admin_ChangeBucketOwner":                                         IAM_admin_ChangeBucketOwner,
 	}
 }
--- a/tests/integration/output.go
+++ b/tests/integration/output.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package integration

 import "fmt"
--- a/tests/integration/s3conf.go
+++ b/tests/integration/s3conf.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package integration

 import (
@@ -79,13 +93,8 @@ func (c *S3Conf) getCreds() credentials.StaticCredentialsProvider {
 	return credentials.NewStaticCredentialsProvider(c.awsID, c.awsSecret, "")
 }

-func (c *S3Conf) ResolveEndpoint(service, region string, options ...interface{}) (aws.Endpoint, error) {
-	return aws.Endpoint{
-		PartitionID:       "aws",
-		URL:               c.endpoint,
-		SigningRegion:     c.awsRegion,
-		HostnameImmutable: true,
-	}, nil
+func (c *S3Conf) GetClient() *s3.Client {
+	return s3.NewFromConfig(c.Config())
 }

 func (c *S3Conf) Config() aws.Config {
@@ -100,11 +109,6 @@ func (c *S3Conf) Config() aws.Config {
 		config.WithHTTPClient(client),
 	}

-	if c.endpoint != "" && c.endpoint != "aws" {
-		opts = append(opts,
-			config.WithEndpointResolverWithOptions(c))
-	}
-
 	if c.checksumDisable {
 		opts = append(opts,
 			config.WithAPIOptions([]func(*middleware.Stack) error{v4.SwapComputePayloadSHA256ForUnsignedPayloadMiddleware}))
@@ -121,11 +125,15 @@ func (c *S3Conf) Config() aws.Config {
 		log.Fatalln("error:", err)
 	}

+	if c.endpoint != "" && c.endpoint != "aws" {
+		cfg.BaseEndpoint = &c.endpoint
+	}
+
 	return cfg
 }

 func (c *S3Conf) UploadData(r io.Reader, bucket, object string) error {
-	uploader := manager.NewUploader(s3.NewFromConfig(c.Config()))
+	uploader := manager.NewUploader(c.GetClient())
 	uploader.PartSize = c.PartSize
 	uploader.Concurrency = c.Concurrency

@@ -140,7 +148,7 @@ func (c *S3Conf) UploadData(r io.Reader, bucket, object string) error {
 }

 func (c *S3Conf) DownloadData(w io.WriterAt, bucket, object string) (int64, error) {
-	downloader := manager.NewDownloader(s3.NewFromConfig(c.Config()))
+	downloader := manager.NewDownloader(c.GetClient())
 	downloader.PartSize = c.PartSize
 	downloader.Concurrency = c.Concurrency

--- a/tests/integration/tests.go
+++ b/tests/integration/tests.go
--- a/tests/integration/utils.go
+++ b/tests/integration/utils.go
@@ -1,3 +1,17 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
 package integration

 import (
@@ -40,12 +54,18 @@ func getBucketName() string {
 	return fmt.Sprintf("test-bucket-%v", bcktCount)
 }

-func setup(s *S3Conf, bucket string) error {
+func setup(s *S3Conf, bucket string, opts ...setupOpt) error {
 	s3client := s3.NewFromConfig(s.Config())

+	cfg := new(setupCfg)
+	for _, opt := range opts {
+		opt(cfg)
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), shortTimeout)
 	_, err := s3client.CreateBucket(ctx, &s3.CreateBucketInput{
-		Bucket: &bucket,
+		Bucket:                     &bucket,
+		ObjectLockEnabledForBucket: &cfg.LockEnabled,
 	})
 	cancel()
 	return err
@@ -99,10 +119,20 @@ func teardown(s *S3Conf, bucket string) error {
 	return err
 }

-func actionHandler(s *S3Conf, testName string, handler func(s3client *s3.Client, bucket string) error) error {
+type setupCfg struct {
+	LockEnabled bool
+}
+
+type setupOpt func(*setupCfg)
+
+func withLock() setupOpt {
+	return func(s *setupCfg) { s.LockEnabled = true }
+}
+
+func actionHandler(s *S3Conf, testName string, handler func(s3client *s3.Client, bucket string) error, opts ...setupOpt) error {
 	runF(testName)
 	bucketName := getBucketName()
-	err := setup(s, bucketName)
+	err := setup(s, bucketName, opts...)
 	if err != nil {
 		failF("%v: failed to create a bucket: %v", testName, err)
 		return fmt.Errorf("%v: failed to create a bucket: %w", testName, err)
@@ -138,7 +168,7 @@ type authConfig struct {

 func authHandler(s *S3Conf, cfg *authConfig, handler func(req *http.Request) error) error {
 	runF(cfg.testName)
-	req, err := createSignedReq(cfg.method, s.endpoint, cfg.path, s.awsID, s.awsSecret, cfg.service, s.awsRegion, cfg.body, cfg.date)
+	req, err := createSignedReq(cfg.method, s.endpoint, cfg.path, s.awsID, s.awsSecret, cfg.service, s.awsRegion, cfg.body, cfg.date, nil)
 	if err != nil {
 		failF("%v: %v", cfg.testName, err)
 		return fmt.Errorf("%v: %w", cfg.testName, err)
@@ -167,7 +197,7 @@ func presignedAuthHandler(s *S3Conf, testName string, handler func(client *s3.Pr
 	return nil
 }

-func createSignedReq(method, endpoint, path, access, secret, service, region string, body []byte, date time.Time) (*http.Request, error) {
+func createSignedReq(method, endpoint, path, access, secret, service, region string, body []byte, date time.Time, headers map[string]string) (*http.Request, error) {
 	req, err := http.NewRequest(method, fmt.Sprintf("%v/%v", endpoint, path), bytes.NewReader(body))
 	if err != nil {
 		return nil, fmt.Errorf("failed to send the request: %w", err)
@@ -179,6 +209,9 @@ func createSignedReq(method, endpoint, path, access, secret, service, region str
 	hexPayload := hex.EncodeToString(hashedPayload[:])

 	req.Header.Set("X-Amz-Content-Sha256", hexPayload)
+	for key, val := range headers {
+		req.Header.Add(key, val)
+	}

 	signErr := signer.SignHTTP(req.Context(), aws.Credentials{AccessKeyID: access, SecretAccessKey: secret}, req, hexPayload, service, region, date)
 	if signErr != nil {
--- a/tests/logger.sh
+++ b/tests/logger.sh
@@ -2,16 +2,70 @@

 # levels:  1 - crit, 2 - err, 3 - warn, 4 - info, 5 - debug, 6 - trace

+export LOG_LEVEL_INT=4
+
 log() {
  if [[ $# -ne 2 ]]; then
    echo "log function requires level, message"
    return 1
  fi
-  if [[ $1 -gt $LOG_LEVEL ]]; then
+  # shellcheck disable=SC2153
+  if [[ $1 -gt $LOG_LEVEL_INT ]]; then
    return 0
  fi
-  echo "$2"
-  if [[ -n "$TEST_LOG_FILE" ]]; then
-    echo "$2" >> "$TEST_LOG_FILE"
+  log_level=""
+  case "$1" in
+    1) log_level="CRIT";;
+    2) log_level="ERROR";;
+    3) log_level="WARN";;
+    4) log_level="INFO";;
+    5) log_level="DEBUG";;
+    6) log_level="TRACE";;
+    *) echo "invalid log level $1"; return 1
+  esac
+  if [[ "$2" == *"secret"* ]]; then
+    log_mask "$log_level" "$2"
+    return 0
  fi
-}
+  log_message "$log_level" "$2"
+}
+
+log_mask() {
+  if [[ $# -ne 2 ]]; then
+    echo "mask and log requires level, string"
+    return 1
+  fi
+  local masked_args=()  # Initialize an array to hold the masked arguments
+
+  IFS=' ' read -r -a array <<< "$2"
+
+  mask_next=false
+  for arg in "${array[@]}"; do
+    if [[ $mask_next == true ]]; then
+      masked_args+=("********")
+      mask_next=false
+    elif [[ "$arg" == --secret_key=* ]]; then
+      masked_args+=("--secret_key=********")
+    elif [[ "$arg" == --secret=* ]]; then
+      masked_args+=("--secret=********")
+    else
+      if [[ "$arg" == "--secret_key" ]] || [[ "$arg" == "--secret" ]] || [[ "$arg" == "--s3-iam-secret" ]]; then
+        mask_next=true
+      fi
+      masked_args+=("$arg")
+    fi
+  done
+  log_message "$log_level" "${masked_args[*]}"
+}
+
+log_message() {
+  if [[ $# -ne 2 ]]; then
+    echo "log message requires level, message"
+    return 1
+  fi
+  now="$(date "+%Y-%m-%d %H:%M:%S")"
+  echo "$now $1 $2"
+  if [[ -n "$TEST_LOG_FILE" ]]; then
+    echo "$now $1 $2" >> "$TEST_LOG_FILE"
+  fi
+}
--- a/tests/run.sh
+++ b/tests/run.sh
@@ -5,9 +5,12 @@ show_help() {
    echo "Usage: $0 [option...]"
    echo "   -h, --help          Display this help message and exit"
    echo "   -s, --static        Don't remove buckets between tests"
-    echo "   aws                 Run tests with aws cli"
+    echo "   aws                 Run tests with aws (s3api) cli"
+    echo "   s3api               Run tests with s3api cli"
+    echo "   s3                  Run tests with s3 cli"
    echo "   s3cmd               Run tests with s3cmd utility"
    echo "   mc                  Run tests with mc utility"
+    echo "   aws-user            Run user tests with aws cli"
 }

 handle_param() {
@@ -19,7 +22,7 @@ handle_param() {
      -s|--static)
          export RECREATE_BUCKETS=false
          ;;
-      s3|s3api|aws|s3cmd|mc|user)
+      s3|s3api|aws|s3cmd|mc|aws-user)
          set_command_type "$1"
          ;;
      *) # Handle unrecognized options or positional arguments
@@ -51,8 +54,8 @@ while [[ "$#" -gt 0 ]]; do
  shift # past argument or value
 done

-if [[ -z "$VERSITYGW_TEST_ENV" ]]; then
-  echo "Error:  VERSITYGW_TEST_ENV parameter must be set"
+if [[ -z "$VERSITYGW_TEST_ENV" ]] && [[ $BYPASS_ENV_FILE != "true" ]]; then
+  echo "Error:  VERSITYGW_TEST_ENV parameter must be set, or BYPASS_ENV_FILE must be set to true"
  exit 1
 fi

@@ -86,6 +89,10 @@ case $command_type in
    echo "Running mc tests ..."
    "$HOME"/bin/bats ./tests/test_mc.sh || exit_code=$?
    ;;
+  aws-user)
+    echo "Running aws user tests ..."
+    "$HOME"/bin/bats ./tests/test_user_aws.sh || exit_code=$?
 esac

+# shellcheck disable=SC2086
 exit $exit_code
--- a/tests/run_all.sh
+++ b/tests/run_all.sh
@@ -1,11 +1,11 @@
 #!/bin/bash

-if [[ -z "$VERSITYGW_TEST_ENV" ]]; then
-  echo "Error:  VERSITYGW_TEST_ENV parameter must be set"
+if [[ -z "$VERSITYGW_TEST_ENV" ]] && [[ $BYPASS_ENV_FILE != "true" ]]; then
+  echo "Error:  VERSITYGW_TEST_ENV parameter must be set, or BYPASS_ENV_FILE must be set to true"
  exit 1
 fi

-# shellcheck source=./.env.default
+# shellcheck source=./tests/.env.default
 source "$VERSITYGW_TEST_ENV"
 export RECREATE_BUCKETS

--- a/tests/setup.sh
+++ b/tests/setup.sh
@@ -1,20 +1,20 @@
 #!/usr/bin/env bash

+source ./tests/env.sh
 source ./tests/setup_mc.sh
 source ./tests/versity.sh

 # bats setup function
 setup() {
-  start_versity || start_result=$?
-  if [[ $start_result -ne 0 ]]; then
-    echo "error starting versity executable"
+  if ! check_env_vars; then
+    log 2 "error checking env values"
    return 1
  fi
-
-  check_params || check_result=$?
-  if [[ $check_result -ne 0 ]]; then
-    echo "parameter check failed"
-    return 1
+  if [ "$RUN_VERSITYGW" == "true" ]; then
+    if ! run_versity_app; then
+      log 2 "error starting versity apps"
+      return 1
+    fi
  fi

  log 4 "Running test $BATS_TEST_NAME"
@@ -32,9 +32,8 @@ setup() {
  fi

  if [[ $RUN_MC == true ]]; then
-    check_add_mc_alias || check_result=$?
-    if [[ $check_result -ne 0 ]]; then
-      echo "mc alias check/add failed"
+    if ! check_add_mc_alias; then
+      log 2 "mc alias check/add failed"
      return 1
    fi
  fi
@@ -44,37 +43,10 @@ setup() {
    BUCKET_TWO_NAME
 }

-# make sure required environment variables for tests are defined properly
-# return 0 for yes, 1 for no
-check_params() {
-  if [ -z "$BUCKET_ONE_NAME" ]; then
-    echo "No bucket one name set"
-    return 1
-  elif [ -z "$BUCKET_TWO_NAME" ]; then
-    echo "No bucket two name set"
-    return 1
-  elif [ -z "$RECREATE_BUCKETS" ]; then
-    echo "No recreate buckets parameter set"
-    return 1
-  elif [[ $RECREATE_BUCKETS != "true" ]] && [[ $RECREATE_BUCKETS != "false" ]]; then
-    echo "RECREATE_BUCKETS must be 'true' or 'false'"
-    return 1
-  fi
-  if [[ -z "$LOG_LEVEL" ]]; then
-    export LOG_LEVEL=2
-  else
-    export LOG_LEVEL
-  fi
-  if [[ -n "$TEST_LOG_FILE" ]]; then
-    export TEST_LOG_FILE
-  fi
-  return 0
-}
-
 # fail a test
 # param:  error message
 fail() {
-  echo "$1"
+  log 1 "$1"
  return 1
 }

--- a/tests/setup_mc.sh
+++ b/tests/setup_mc.sh
@@ -8,8 +8,7 @@ check_for_alias() {
    return 2
  fi
  while IFS= read -r line; do
-    error=$(echo "$line" | grep -w "$MC_ALIAS ")
-    if [[ $? -eq 0 ]]; then
+    if echo "$line" | grep -w "$MC_ALIAS "; then
      return 0
    fi
  done <<< "$aliases"
--- a/tests/test_aws.sh
+++ b/tests/test_aws.sh
@@ -5,15 +5,32 @@ source ./tests/util.sh
 source ./tests/util_aws.sh
 source ./tests/util_bucket_create.sh
 source ./tests/util_file.sh
+source ./tests/util_users.sh
 source ./tests/test_common.sh
 source ./tests/commands/copy_object.sh
 source ./tests/commands/delete_bucket_policy.sh
 source ./tests/commands/delete_object_tagging.sh
+source ./tests/commands/get_bucket_acl.sh
 source ./tests/commands/get_bucket_policy.sh
+source ./tests/commands/get_bucket_versioning.sh
 source ./tests/commands/get_object.sh
+source ./tests/commands/get_object_attributes.sh
+source ./tests/commands/get_object_legal_hold.sh
+source ./tests/commands/get_object_lock_configuration.sh
+source ./tests/commands/get_object_retention.sh
+source ./tests/commands/get_object_tagging.sh
+source ./tests/commands/list_object_versions.sh
+source ./tests/commands/put_bucket_acl.sh
 source ./tests/commands/put_bucket_policy.sh
+source ./tests/commands/put_bucket_versioning.sh
 source ./tests/commands/put_object.sh
+source ./tests/commands/put_object_legal_hold.sh
+source ./tests/commands/put_object_retention.sh
+source ./tests/commands/select_object_content.sh

+export RUN_USERS=true
+
+# abort-multipart-upload
@test "test_abort_multipart_upload" {
  local bucket_file="bucket-file"
  bucket_file_data="test file\n"
@@ -34,6 +51,7 @@ source ./tests/commands/put_object.sh
  delete_test_files $bucket_file
 }

+# complete-multipart-upload
@test "test_complete_multipart_upload" {
  local bucket_file="bucket-file"
  bucket_file_data="test file\n"
@@ -55,6 +73,184 @@ source ./tests/commands/put_object.sh
  delete_test_files $bucket_file
 }

+# copy-object
+@test "test_copy_object" {
+  test_common_copy_object "s3api"
+}
+
+@test "test_copy_object_empty" {
+  copy_object_empty || local result=$?
+  [[ result -eq 0 ]] || fail "copy objects with no parameters test failure"
+}
+
+# create-bucket
+@test "test_create_delete_bucket_aws" {
+  test_common_create_delete_bucket "aws"
+}
+
+# create-multipart-upload
+@test "test_create_multipart_upload_properties" {
+  local bucket_file="bucket-file"
+  local bucket_file_data="test file\n"
+
+  local expected_content_type="application/zip"
+  local expected_meta_key="testKey"
+  local expected_meta_val="testValue"
+  local expected_hold_status="ON"
+  local expected_retention_mode="GOVERNANCE"
+  local expected_tag_key="TestTag"
+  local expected_tag_val="TestTagVal"
+  local five_seconds_later
+
+  os_name="$(uname)"
+  if [[ "$os_name" == "Darwin" ]]; then
+    now=$(date -u +"%Y-%m-%dT%H:%M:%S")
+    five_seconds_later=$(date -j -v +10S -f "%Y-%m-%dT%H:%M:%S" "$now" +"%Y-%m-%dT%H:%M:%S")
+  else
+    now=$(date +"%Y-%m-%dT%H:%M:%S")
+    five_seconds_later=$(date -d "$now 10 seconds" +"%Y-%m-%dT%H:%M:%S")
+  fi
+
+  create_test_files "$bucket_file" || fail "error creating test file"
+  printf "%s" "$bucket_file_data" > "$test_file_folder"/$bucket_file
+
+  delete_bucket_if_exists "s3api" "$BUCKET_ONE_NAME" || fail "error deleting bucket, or checking for existence"
+  create_bucket_object_lock_enabled "$BUCKET_ONE_NAME" || fail "error creating bucket"
+
+  log 5 "$five_seconds_later"
+  multipart_upload_with_params "$BUCKET_ONE_NAME" "$bucket_file" "$test_file_folder"/"$bucket_file" 4 \
+    "$expected_content_type" \
+    "{\"$expected_meta_key\": \"$expected_meta_val\"}" \
+    "$expected_hold_status" \
+    "$expected_retention_mode" \
+    "$five_seconds_later" \
+    "$expected_tag_key=$expected_tag_val" || fail "error performing multipart upload"
+
+  head_object "s3api" "$BUCKET_ONE_NAME" "$bucket_file" || fail "error getting metadata"
+  raw_metadata=$(echo "$metadata" | grep -v "InsecureRequestWarning")
+  log 5 "raw metadata: $raw_metadata"
+
+  content_type=$(echo "$raw_metadata" | jq -r ".ContentType")
+  [[ $content_type == "$expected_content_type" ]] || fail "content type mismatch ($content_type, $expected_content_type)"
+  meta_val=$(echo "$raw_metadata" | jq -r ".Metadata.$expected_meta_key")
+  [[ $meta_val == "$expected_meta_val" ]] || fail "metadata val mismatch ($meta_val, $expected_meta_val)"
+  hold_status=$(echo "$raw_metadata" | jq -r ".ObjectLockLegalHoldStatus")
+  [[ $hold_status == "$expected_hold_status" ]] || fail "hold status mismatch ($hold_status, $expected_hold_status)"
+  retention_mode=$(echo "$raw_metadata" | jq -r ".ObjectLockMode")
+  [[ $retention_mode == "$expected_retention_mode" ]] || fail "retention mode mismatch ($retention_mode, $expected_retention_mode)"
+  retain_until_date=$(echo "$raw_metadata" | jq -r ".ObjectLockRetainUntilDate")
+  [[ $retain_until_date == "$five_seconds_later"* ]] || fail "retention date mismatch ($retain_until_date, $five_seconds_later)"
+
+  get_object_tagging "aws" "$BUCKET_ONE_NAME" "$bucket_file" || fail "error getting tagging"
+  log 5 "tags: $tags"
+  tag_key=$(echo "$tags" | jq -r ".TagSet[0].Key")
+  [[ $tag_key == "$expected_tag_key" ]] || fail "tag mismatch ($tag_key, $expected_tag_key)"
+  tag_val=$(echo "$tags" | jq -r ".TagSet[0].Value")
+  [[ $tag_val == "$expected_tag_val" ]] || fail "tag mismatch ($tag_val, $expected_tag_val)"
+
+  put_object_legal_hold "$BUCKET_ONE_NAME" "$bucket_file" "OFF" || fail "error disabling legal hold"
+  head_object "s3api" "$BUCKET_ONE_NAME" "$bucket_file" || fail "error getting metadata"
+
+  get_object "s3api" "$BUCKET_ONE_NAME" "$bucket_file" "$test_file_folder/$bucket_file-copy" || fail "error getting object"
+  compare_files "$test_file_folder/$bucket_file" "$test_file_folder/$bucket_file-copy" || fail "files not equal"
+
+  sleep 10
+
+  delete_bucket_or_contents "aws" "$BUCKET_ONE_NAME"
+  delete_test_files $bucket_file
+}
+
+
+# delete-bucket - test_create_delete_bucket_aws
+
+# delete-bucket-policy
+@test "test_get_put_delete_bucket_policy" {
+  test_common_get_put_delete_bucket_policy "aws"
+}
+
+# delete-bucket-tagging
+@test "test-set-get-delete-bucket-tags" {
+  test_common_set_get_delete_bucket_tags "aws"
+}
+
+# delete-object - tested with bucket cleanup before or after tests
+
+# delete-object-tagging
+@test "test_delete_object_tagging" {
+  test_common_delete_object_tagging "aws"
+}
+
+# delete-objects
+@test "test_delete_objects" {
+  local object_one="test-file-one"
+  local object_two="test-file-two"
+
+  create_test_files "$object_one" "$object_two" || local created=$?
+  [[ $created -eq 0 ]] || fail "Error creating test files"
+  setup_bucket "aws" "$BUCKET_ONE_NAME" || local result_one=$?
+  [[ $result_one -eq 0 ]] || fail "Error creating bucket"
+
+  put_object "s3api" "$test_file_folder"/"$object_one" "$BUCKET_ONE_NAME" "$object_one" || local result_two=$?
+  [[ $result_two -eq 0 ]] || fail "Error adding object one"
+  put_object "s3api" "$test_file_folder"/"$object_two" "$BUCKET_ONE_NAME" "$object_two" || local result_three=$?
+  [[ $result_three -eq 0 ]] || fail "Error adding object two"
+
+  error=$(aws --no-verify-ssl s3api delete-objects --bucket "$BUCKET_ONE_NAME" --delete '{
+    "Objects": [
+      {"Key": "test-file-one"},
+      {"Key": "test-file-two"}
+    ]
+  }') || local result=$?
+  [[ $result -eq 0 ]] || fail "Error deleting objects: $error"
+
+  object_exists "aws" "$BUCKET_ONE_NAME" "$object_one" || local exists_one=$?
+  [[ $exists_one -eq 1 ]] || fail "Object one not deleted"
+  object_exists "aws" "$BUCKET_ONE_NAME" "$object_two" || local exists_two=$?
+  [[ $exists_two -eq 1 ]] || fail "Object two not deleted"
+
+  delete_bucket_or_contents "aws" "$BUCKET_ONE_NAME"
+  delete_test_files "$object_one" "$object_two"
+}
+
+# get-bucket-acl
+@test "test_get_bucket_acl" {
+  setup_bucket "aws" "$BUCKET_ONE_NAME" || local created=$?
+  [[ $created -eq 0 ]] || fail "Error creating bucket"
+
+  get_bucket_acl "s3api" "$BUCKET_ONE_NAME" || local result=$?
+  [[ $result -eq 0 ]] || fail "Error retrieving acl"
+
+  id=$(echo "$acl" | grep -v "InsecureRequestWarning" | jq '.Owner.ID')
+  [[ $id == '"'"$AWS_ACCESS_KEY_ID"'"' ]] || fail "Acl mismatch"
+
+  delete_bucket_or_contents "aws" "$BUCKET_ONE_NAME"
+}
+
+#@test "test_get_object_invalid_range" {
+#  bucket_file="bucket_file"
+#
+#  create_test_files "$bucket_file" || local created=$?
+#  [[ $created -eq 0 ]] || fail "Error creating test files"
+#  setup_bucket "s3api" "$BUCKET_ONE_NAME" || local setup_result=$?
+#  [[ $setup_result -eq 0 ]] || fail "error setting up bucket"
+#  put_object "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" || fail "error putting object"
+#  get_object_with_range "$BUCKET_ONE_NAME" "$bucket_file" "bytes=0-0" "$test_file_folder/$bucket_file-range" || local get_result=$?
+#  [[ $get_result -ne 0 ]] || fail "Get object with zero range returned no error"
+#}
+
+@test "test_get_object_full_range" {
+  bucket_file="bucket_file"
+
+  create_test_files "$bucket_file" || local created=$?
+  [[ $created -eq 0 ]] || fail "Error creating test files"
+  echo -n "0123456789" > "$test_file_folder/$bucket_file"
+  setup_bucket "s3api" "$BUCKET_ONE_NAME" || local setup_result=$?
+  [[ $setup_result -eq 0 ]] || fail "error setting up bucket"
+  put_object "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" || fail "error putting object"
+  get_object_with_range "$BUCKET_ONE_NAME" "$bucket_file" "bytes=9-15" "$test_file_folder/$bucket_file-range" || fail "error getting range"
+  [[ "$(cat "$test_file_folder/$bucket_file-range")" == "9" ]] || fail "byte range not copied properly"
+}
+
@test "test_put_object" {
  bucket_file="bucket_file"

@@ -66,8 +262,8 @@ source ./tests/commands/put_object.sh
  [[ $setup_result_two -eq 0 ]] || fail "Bucket two setup error"
  put_object "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" || local copy_result=$?
  [[ $copy_result -eq 0 ]] || fail "Failed to add object to bucket"
-  error=$(aws --no-verify-ssl s3api copy-object --copy-source "$BUCKET_ONE_NAME/$bucket_file" --key "$bucket_file" --bucket "$BUCKET_TWO_NAME" 2>&1) || local copy_result=$?
-  [[ $copy_result -eq 0 ]] || fail "Error copying file: $error"
+  copy_error=$(aws --no-verify-ssl s3api copy-object --copy-source "$BUCKET_ONE_NAME/$bucket_file" --key "$bucket_file" --bucket "$BUCKET_TWO_NAME" 2>&1) || local copy_result=$?
+  [[ $copy_result -eq 0 ]] || fail "Error copying file: $copy_error"
  copy_file "s3://$BUCKET_TWO_NAME/$bucket_file" "$test_file_folder/${bucket_file}_copy" || local copy_result=$?
  [[ $copy_result -eq 0 ]] || fail "Failed to add object to bucket"
  compare_files "$test_file_folder/$bucket_file" "$test_file_folder/${bucket_file}_copy" || local compare_result=$?
@@ -78,11 +274,6 @@ source ./tests/commands/put_object.sh
  delete_test_files "$bucket_file"
 }

-# test creation and deletion of bucket on versitygw
-@test "test_create_delete_bucket_aws" {
-  test_common_create_delete_bucket "aws"
-}
-
@test "test_create_bucket_invalid_name" {
  if [[ $RECREATE_BUCKETS != "true" ]]; then
    return
@@ -113,19 +304,130 @@ source ./tests/commands/put_object.sh
  test_common_list_objects "aws"
 }

-# test ability to retrieve bucket ACLs
-@test "test_get_bucket_acl" {

-  setup_bucket "aws" "$BUCKET_ONE_NAME" || local created=$?
+@test "test_get_object_attributes" {
+  bucket_file="bucket_file"
+
+  create_test_files "$bucket_file" || local created=$?
+  [[ $created -eq 0 ]] || fail "Error creating test files"
+  setup_bucket "s3api" "$BUCKET_ONE_NAME" || local created=$?
  [[ $created -eq 0 ]] || fail "Error creating bucket"
+  put_object "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" || local copy_result=$?
+  [[ $copy_result -eq 0 ]] || fail "Failed to add object to bucket"
+  get_object_attributes "$BUCKET_ONE_NAME" "$bucket_file" || local get_result=$?
+  [[ $get_result -eq 0 ]] || fail "failed to get object attributes"
+  # shellcheck disable=SC2154
+  if echo "$attributes" | jq -e 'has("ObjectSize")'; then
+    object_size=$(echo "$attributes" | jq ".ObjectSize")
+    [[ $object_size == 0 ]] || fail "Incorrect object size: $object_size"
+  else
+    fail "ObjectSize parameter missing: $attributes"
+  fi
+  delete_bucket_or_contents "s3api" "$BUCKET_ONE_NAME"
+}

-  get_bucket_acl "$BUCKET_ONE_NAME" || local result=$?
-  [[ $result -eq 0 ]] || fail "Error retrieving acl"
+@test "test_get_put_object_legal_hold" {
+  # bucket must be created with lock for legal hold
+  if [[ $RECREATE_BUCKETS == false ]]; then
+    return
+  fi

-  id=$(echo "$acl" | grep -v "InsecureRequestWarning" | jq '.Owner.ID')
-  [[ $id == '"'"$AWS_ACCESS_KEY_ID"'"' ]] || fail "Acl mismatch"
+  bucket_file="bucket_file"
+  username="ABCDEFG"
+  secret_key="HIJKLMN"

-  delete_bucket_or_contents "aws" "$BUCKET_ONE_NAME"
+  legal_hold_retention_setup "$username" "$secret_key" "$bucket_file"
+
+  get_object_lock_configuration "$BUCKET_ONE_NAME" || fail "error getting lock configuration"
+  # shellcheck disable=SC2154
+  log 5 "$lock_config"
+  enabled=$(echo "$lock_config" | jq -r ".ObjectLockConfiguration.ObjectLockEnabled")
+  [[ $enabled == "Enabled" ]] || fail "ObjectLockEnabled should be 'Enabled', is '$enabled'"
+
+  put_object_legal_hold "$BUCKET_ONE_NAME" "$bucket_file" "ON" || fail "error putting legal hold on object"
+  get_object_legal_hold "$BUCKET_ONE_NAME" "$bucket_file" || fail "error getting object legal hold status"
+  # shellcheck disable=SC2154
+  log 5 "$legal_hold"
+  hold_status=$(echo "$legal_hold" | grep -v "InsecureRequestWarning" | jq -r ".LegalHold.Status")
+  [[ $hold_status == "ON" ]] || fail "Status should be 'ON', is '$hold_status'"
+
+  echo "fdkljafajkfs" > "$test_file_folder/$bucket_file"
+  put_object_with_user "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$secret_key" || local put_result=$?
+  [[ $put_result -ne 0 ]] || fail "able to overwrite object with hold"
+  # shellcheck disable=SC2154
+  [[ $put_object_error == *"Object is WORM protected and cannot be overwritten"* ]] || fail "unexpected error message: $put_object_error"
+
+  delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$secret_key" || local delete_result=$?
+  [[ $delete_result -ne 0 ]] || fail "able to delete object with hold"
+  # shellcheck disable=SC2154
+  [[ $delete_object_error == *"Object is WORM protected and cannot be overwritten"* ]] || fail "unexpected error message: $delete_object_error"
+  put_object_legal_hold "$BUCKET_ONE_NAME" "$bucket_file" "OFF" || fail "error removing legal hold on object"
+  delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$secret_key" || fail "error deleting object after removing legal hold"
+
+  delete_bucket_recursive "s3api" "$BUCKET_ONE_NAME"
+}
+
+#@test "test_get_put_object_retention" {
+#  # bucket must be created with lock for legal hold
+#  if [[ $RECREATE_BUCKETS == false ]]; then
+#    return
+#  fi
+#
+#  bucket_file="bucket_file"
+#  username="ABCDEFG"
+#  secret_key="HIJKLMN"
+#
+#  legal_hold_retention_setup "$username" "$secret_key" "$bucket_file"
+#
+#  get_object_lock_configuration "$BUCKET_ONE_NAME" || fail "error getting lock configuration"
+#  log 5 "$lock_config"
+#  enabled=$(echo "$lock_config" | jq -r ".ObjectLockConfiguration.ObjectLockEnabled")
+#  [[ $enabled == "Enabled" ]] || fail "ObjectLockEnabled should be 'Enabled', is '$enabled'"
+#
+#  if [[ "$OSTYPE" == "darwin"* ]]; then
+#    retention_date=$(date -v+2d +"%Y-%m-%dT%H:%M:%S")
+#  else
+#    retention_date=$(date -d "+2 days" +"%Y-%m-%dT%H:%M:%S")
+#  fi
+#  put_object_retention "$BUCKET_ONE_NAME" "$bucket_file" "GOVERNANCE" "$retention_date" || fail "failed to add object retention"
+#  get_object_retention "$BUCKET_ONE_NAME" "$bucket_file" || fail "failed to get object retention"
+#  log 5 "$retention"
+#  retention=$(echo "$retention" | grep -v "InsecureRequestWarning")
+#  mode=$(echo "$retention" | jq -r ".Retention.Mode")
+#  retain_until_date=$(echo "$retention" | jq -r ".Retention.RetainUntilDate")
+#  [[ $mode == "GOVERNANCE" ]] || fail "retention mode should be governance, is $mode"
+#  [[ $retain_until_date == "$retention_date"* ]] || fail "retain until date should be $retention_date, is $retain_until_date"
+#
+#  echo "fdkljafajkfs" > "$test_file_folder/$bucket_file"
+#  put_object_with_user "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$secret_key" || local put_result=$?
+#  [[ $put_result -ne 0 ]] || fail "able to overwrite object with hold"
+#  [[ $error == *"Object is WORM protected and cannot be overwritten"* ]] || fail "unexpected error message: $error"
+#
+#  delete_object_with_user "s3api" "$BUCKET_ONE_NAME" "$bucket_file" "$username" "$secret_key" || local delete_result=$?
+#  [[ $delete_result -ne 0 ]] || fail "able to delete object with hold"
+#  [[ $error == *"Object is WORM protected and cannot be overwritten"* ]] || fail "unexpected error message: $error"
+#
+#  delete_object "s3api" "$BUCKET_ONE_NAME" "$bucket_file" || fail "error deleting object"
+#  delete_bucket_recursive "s3api" "$BUCKET_ONE_NAME"
+#}
+
+legal_hold_retention_setup() {
+  if [[ $# -ne 3 ]]; then
+    log 2 "legal hold or retention setup requires username, secret key, bucket file"
+    return 1
+  fi
+
+  delete_bucket_if_exists "s3api" "$BUCKET_ONE_NAME" || fail "error deleting bucket, or checking for existence"
+  create_user_if_nonexistent "$1" "$2" "user" || fail "error creating user if nonexistent"
+  create_test_files "$3" || fail "error creating test files"
+
+  create_bucket_object_lock_enabled "$BUCKET_ONE_NAME" || fail "error creating bucket"
+  change_bucket_owner "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY" "$BUCKET_ONE_NAME" "$1" || fail "error changing bucket ownership"
+  put_object_with_user "s3api" "$test_file_folder/$3" "$BUCKET_ONE_NAME" "$3" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY" || fail "failed to add object to bucket"
+}
+
+@test "test_put_bucket_acl" {
+  test_common_put_bucket_acl "s3api"
 }

 # test ability to retrieve object ACLs
@@ -149,42 +451,26 @@ source ./tests/commands/put_object.sh
 #  delete_bucket_or_contents "$BUCKET_ONE_NAME"
 #}

-# test ability to delete multiple objects from bucket
-@test "test_delete_objects" {
-  local object_one="test-file-one"
-  local object_two="test-file-two"

-  create_test_files "$object_one" "$object_two" || local created=$?
-  [[ $created -eq 0 ]] || fail "Error creating test files"
-  setup_bucket "aws" "$BUCKET_ONE_NAME" || local result_one=$?
-  [[ $result_one -eq 0 ]] || fail "Error creating bucket"
+#@test "test_select_object_content" {
+#  bucket_file="bucket_file"
+#
+#  create_test_files "$bucket_file" || local created=$?
+#  [[ $created -eq 0 ]] || fail "Error creating test files"
+#
+#  printf "Field,Value\nSomething,Also Something" > "$test_file_folder/$bucket_file"
+#  cat "$test_file_folder/$bucket_file"
+#
+#  setup_bucket "s3api" "$BUCKET_ONE_NAME" || local created=$?
+#  [[ $created -eq 0 ]] || fail "Error creating bucket"
+#  put_object "s3api" "$test_file_folder/$bucket_file" "$BUCKET_ONE_NAME" "$bucket_file" || local copy_result=$?
+#  [[ $copy_result -eq 0 ]] || fail "Failed to add object to bucket"
+#  select_object_content "$BUCKET_ONE_NAME" "$bucket_file" "select * from s3object limit 1" "SQL" "{\"CSV\": {}}" "{\"CSV\": {}}" "output.csv"
+#}

-  put_object "s3api" "$test_file_folder"/"$object_one" "$BUCKET_ONE_NAME" "$object_one" || local result_two=$?
-  [[ $result_two -eq 0 ]] || fail "Error adding object one"
-  put_object "s3api" "$test_file_folder"/"$object_two" "$BUCKET_ONE_NAME" "$object_two" || local result_three=$?
-  [[ $result_three -eq 0 ]] || fail "Error adding object two"
-
-  error=$(aws --no-verify-ssl s3api delete-objects --bucket "$BUCKET_ONE_NAME" --delete '{
-    "Objects": [
-      {"Key": "test-file-one"},
-      {"Key": "test-file-two"}
-    ]
-  }') || local result=$?
-  [[ $result -eq 0 ]] || fail "Error deleting objects: $error"
-
-  object_exists "aws" "$BUCKET_ONE_NAME" "$object_one" || local exists_one=$?
-  [[ $exists_one -eq 1 ]] || fail "Object one not deleted"
-  object_exists "aws" "$BUCKET_ONE_NAME" "$object_two" || local exists_two=$?
-  [[ $exists_two -eq 1 ]] || fail "Object two not deleted"
-
-  delete_bucket_or_contents "aws" "$BUCKET_ONE_NAME"
-  delete_test_files "$object_one" "$object_two"
-}
-
-# test abilty to set and retrieve bucket tags
-@test "test-set-get-delete-bucket-tags" {
-  test_common_set_get_delete_bucket_tags "aws"
-}
+#@test "test_get_set_versioning" {
+#  test_common_get_set_versioning "s3api"
+#}

 # test v1 s3api list objects command
@test "test-s3api-list-objects-v1" {
@@ -202,8 +488,6 @@ source ./tests/commands/put_object.sh
  put_object "s3api" "$test_file_folder"/"$object_two" "$BUCKET_ONE_NAME" "$object_two" || local copy_result_two=$?
  [[ $copy_result_two -eq 0 ]] || fail "Failed to add object $object_two"

-  sleep 1
-
  list_objects_s3api_v1 "$BUCKET_ONE_NAME"
  key_one=$(echo "$objects" | jq -r '.Contents[0].Key')
  [[ $key_one == "$object_one" ]] || fail "Object one mismatch ($key_one, $object_one)"
@@ -281,6 +565,7 @@ source ./tests/commands/put_object.sh
      echo "error:  blank etag"
      return 1
    fi
+    # shellcheck disable=SC2004
    parts_map[$part_number]=$etag
  done
  [[ ${#parts_map[@]} -ne 0 ]] || fail "error loading multipart upload parts to check"
@@ -316,8 +601,7 @@ source ./tests/commands/put_object.sh
  setup_bucket "aws" "$BUCKET_ONE_NAME" || local result=$?
  [[ $result -eq 0 ]] || fail "Failed to create bucket '$BUCKET_ONE_NAME'"

-  list_multipart_uploads "$BUCKET_ONE_NAME" "$test_file_folder"/"$bucket_file_one" "$test_file_folder"/"$bucket_file_two"
-  [[ $? -eq 0 ]] || fail "failed to list multipart uploads"
+  list_multipart_uploads "$BUCKET_ONE_NAME" "$test_file_folder"/"$bucket_file_one" "$test_file_folder"/"$bucket_file_two" || fail "failed to list multipart uploads"

  local key_one
  local key_two
@@ -358,6 +642,42 @@ source ./tests/commands/put_object.sh
  delete_test_files $bucket_file
 }

+@test "test_multipart_upload_from_bucket_range_too_large" {
+  local bucket_file="bucket-file"
+
+  create_large_file "$bucket_file" || error creating file "$bucket_file"
+  setup_bucket "aws" "$BUCKET_ONE_NAME" || fail "Failed to create bucket '$BUCKET_ONE_NAME'"
+
+  multipart_upload_from_bucket_range "$BUCKET_ONE_NAME" "$bucket_file" "$test_file_folder"/"$bucket_file" 4 "bytes=0-1000000000" || local upload_result=$?
+  [[ $upload_result -eq 1 ]] || fail "multipart upload with overly large range should have failed"
+  log 5 "error: $upload_part_copy_error"
+  [[ $upload_part_copy_error == *"Range specified is not valid"* ]] || [[ $upload_part_copy_error == *"InvalidRange"* ]] || fail "unexpected error: $upload_part_copy_error"
+
+  delete_bucket_or_contents "aws" "$BUCKET_ONE_NAME"
+  delete_test_files $bucket_file
+}
+
+@test "test_multipart_upload_from_bucket_range_valid" {
+  local bucket_file="bucket-file"
+
+  create_large_file "$bucket_file" || error creating file "$bucket_file"
+  setup_bucket "aws" "$BUCKET_ONE_NAME" || fail "Failed to create bucket '$BUCKET_ONE_NAME'"
+
+  range_max=$((5*1024*1024-1))
+  multipart_upload_from_bucket_range "$BUCKET_ONE_NAME" "$bucket_file" "$test_file_folder"/"$bucket_file" 4 "bytes=0-$range_max" || fail "upload failure"
+
+  get_object "s3api" "$BUCKET_ONE_NAME" "$bucket_file-copy" "$test_file_folder/$bucket_file-copy" || fail "error retrieving object after upload"
+  if [[ $(uname) == 'Darwin' ]]; then
+    object_size=$(stat -f%z "$test_file_folder/$bucket_file-copy")
+  else
+    object_size=$(stat --format=%s "$test_file_folder/$bucket_file-copy")
+  fi
+  [[ object_size -eq $((range_max*4+4)) ]] || fail "object size mismatch ($object_size, $((range_max*4+4)))"
+
+  delete_bucket_or_contents "aws" "$BUCKET_ONE_NAME"
+  delete_test_files $bucket_file
+}
+
@test "test-presigned-url-utf8-chars" {
  test_common_presigned_url_utf8_chars "aws"
 }
@@ -414,6 +734,11 @@ source ./tests/commands/put_object.sh
  delete_bucket_or_contents "aws" "$BUCKET_ONE_NAME"
 }

+@test "test_head_bucket_invalid_name" {
+  head_bucket "aws" "" || local head_result=$?
+  [[ $head_result -ne 0 ]] || fail "able to get bucket info for invalid name"
+}
+
@test "test_head_bucket_doesnt_exist" {
  setup_bucket "aws" "$BUCKET_ONE_NAME" || local setup_result=$?
  [[ $setup_result -eq 0 ]] || fail "error setting up bucket"
@@ -449,14 +774,7 @@ source ./tests/commands/put_object.sh
  [[ $value == "\"$test_value\"" ]] || fail "values doesn't match (expected $value, actual \"$test_value\")"
 }

-@test "test_delete_object_tagging" {
-  test_common_delete_object_tagging "aws"
-}

@test "test_get_bucket_location" {
  test_common_get_bucket_location "aws"
 }
-
-@test "test_get_put_delete_bucket_policy" {
-  test_common_get_put_delete_bucket_policy "aws"
-}
--- a/Show More
+++ b/Show More